WINPHO Description

Infrastructure Overview
WINPHO makes the sharing of digital images possible by doing three things:

1. WINPHO provides custom interfaces, written to allow communication between the WINPHO servers and each specific vendor, or, in the alternative, provides a basic mugshot capture system;
2. WINPHO repackages the images in a format based upon an open architecture, using standards that make the images accessible and available to all users, regardless of their vendor platform;
3. WINPHO connects all users through the highly-secure NLETS backbone—a network to which all users already have access.

WINPHO is designed to be fully conversant in the ANSI/NIST [i] and EFTS 6.2 or higher National Standards ("NIST-compliant") [ii] . While WINPHO will require neither Participants nor Users to be NIST-compliant in order to use WINPHO, NIST-compliance is strongly recommended and fully supported†. The WINPHO servers are configured to accept both NIST and non-NIST-compliant transactions, and will translate or repackage transactions as necessary. This is to say that, if a photo database connected to WINPHO is not NIST-compliant but the User making the request of that database requires NIST format, the data from that system will be repackaged in a NIST format before delivery. Conversely, if the photo database is NIST-compliant and the User making the request is not NIST-able, then the server will repackage the data and deliver it in a non-NIST format.

WINPHO gives law enforcement agencies a cost-effective, multi-state infrastructure through which they may share, not only mugshots, but photographs of missing adults, children and property as well. In fact, any image that can be digitized by a law enforcement agency can be shared with other agencies through WINPHO. Using WINPHO, a law enforcement agency may choose to retrieve a specific photograph from another agency’s database, or scan a photograph of a child into the system at a workstation and deliver it to all other users on the WINPHO network. The possibilities are endless.

In keeping with our mission to use national standards and an open architecture, WINPHO users retrieve photographs through a standard web browser. Therefore, any law enforcement officer with proper authorization, a connection to the NLETS backbone, and a standard, desktop PC running Windows® and a recent version of Microsoft® Internet Explorer® can acquire photographs maintained by another WINPHO participant. The use of a web browser "front end" is not, however, an indication that WINPHO is connected to the Internet. With the exception of VPN connections, WINPHO does not touch the Internet at any point and computers connected to WINPHO must not be connected to the Internet. The use of this standard browser for retrieving images is simply the way that WINPHO guarantees users access to images with the lowest cost and greatest ease possible. Each WINPHO transaction is as secure as the AFIS transactions that occur thousands of times per day on the same, NLETS network.

To use WINPHO, a law enforcement agency needs certain information before making a query, and fishing expeditions are not allowed. This means that WINPHO serves best as an identification tool rather than an investigative tool. For example, in the case of a request for a DMV photograph, the law enforcement query can only be made using an Operator License Number. If the DMV server finds the requested record, that record will be returned to the requester. However, the subject’s address, or other information will be passed to the requester only if the DMV providing the record allows such dissemination. In the case of a request for a mugshot, a booking number or some other identification unique to that subject is required. As a general rule, the requester will have to use traditional methods of finding information that can be used to formulate a query [iii] . Whether that information is generated through rap sheets or other investigative tools is immaterial. What is important is that the identifying information must be in the possession of the requester before initiating a WINPHO query; the WINPHO query is not used to secure the identifying information.

The WINPHO system serves three discreet types of Participants: the Active Participant, which shares index data with the WINPHO server on a regular basis; the Passive Participant, which allows access to that Participant’s system but shares no index information with the WINPHO server; and the Integrated Participant, which stores index information and photographs on the WINPHO server. These three types of Participants are discussed in more detail below. Without regard to type of Participant, there are other gradations of user, based upon security. For instance, a Department of Motor Vehicles may be a Passive Participant and require a user to provide the system with a specific Driver’s License number, returning only the photograph and DMV-selected information. As a Passive Participant DMV will not allow browsing on their system and will not perform searches. Given the sensitive nature of the information on the DMV system, a DMV will further restrict access to a particular group of users. In the case of Oregon DMV, that user group is limited to sworn law enforcement personnel. The structure of this group is strictly construed to exclude criminal justice users who are not part of the law enforcement community. This means that while a police department may have access to the DMV system, a District Attorney, court, or correctional facility will not. On the other hand, a correctional facility may allow all criminal justice personnel access to their system, regardless of whether they belong to the law enforcement subgroup. Each Participant determines the security level of access to be granted to the information which their system contributes to WINPHO, and user groups are defined accordingly with access controlled by the WINPHO server. Users are identified by personal user names and passwords and all transactions are logged. WINPHO logs show the IP from which access was gained, and can be configured to show computer-level "MAC††" addresses as well.

There is a further differentiation among users based upon the access to WINPHO that they have selected. This distinction works in conjunction with the security issue, but also has a separate character. Based upon their need, users may decide to take advantage of the full range of databases on WINPHO that their security level allows them to access, or they may decide to limit their access to a select group. For instance, a correctional facility using a WINPHO capture station may decide that they only wish to have access to the photographs that they themselves placed in the database, even though they may have a security level that entitles them to access another correctional facility’s data as well as their own. This ability is built in to WINPHO and gives WINPHO a total of three types of database access. Again, the first level is set by the Participant—the owner/operator of a given database—and consists of the ability to limit particular kinds of access to that database. The second is also set by the Participant, and consists of the ability to limit the user of that database based upon security. The third level is set by the user and consists of the ability to set the scope of databases available at the user’s workstation, so long as that scope remains within the security level set by the Participant.

WINPHO is, above all, a way to connect law enforcement personnel to the photographs they need. Therefore, the emphasis is largely upon networking and interfaces. However, as part of the initial pilot, WINPHO has designed and is distributing a number of workstations. Some of these workstations, called WINPHO capture stations, are complete digital booking systems consisting of a video camera, computer, and dual monitors. Other workstations are WINPHO Retrieve Stations and offer the ability to access the WINPHO system to retrieve photographs. While WIN has and will continue to distribute WINPHO Retrieve Stations to the extent possible, it is important to note that any PC connected to the NLETS backbone and capable of running the latest version of Microsoft Internet Explore is fully qualified to be a WINPHO Retrieve Station. This may be a PC already on the user’s desk.

† While WINPHO will converse with systems that do not use a NIST format for transmission, adherence to the NIST Best Practice Recommendation is required of all users.

†† "Media Access Control" address.

[i] American National Standard for Information Systems/National Institute of Standards and Technology. Among the fundamental NIST documents bearing upon WINPHO are Data Format for the Interchange of Fingerprint, Facial, & Scar Mark & Tattoo (SMT) Information," ANSI/NIST-ITL 1-2000, and the "NIST Best Practice Recommendation For The Capture Of Mugshots Version 2.0".

[ii] WINPHO strongly recommends compliance with the NIST Best Practice Recommendation For The Capture Of Mugshots Version 2.0.

[iii] While name search capability is included in the WINPHO application, the fastest, most accurate method of finding a specific record remains that of doing good investigative work before coming to WINPHO, and making a request as specific as possible.