The quick signatures were necessary if the software giant were to move forward with a new law enforcement client: the New York City Police Department, according to people familiar with the case and emails reviewed by Protocol. A spokesman for the NYPD did not respond to a request for comment.
“We apologize for the tight deadline and realize we’re asking for your help this weekend,” former union chief Jim Alkove wrote to staff.
The signatures were also necessary for employees to continue working in the government department. The warning from the summit was clear: Those who did not sign had to move to another department.
The document in question addressed a secret obstacle that the technology industry faces to clients such as the NYPD: Criminal Justice Information Services, or CJIS, a department of the FBI that keeps fingerprints, documents and other data and evidence used, among other law enforcement activities, that investigate the history of suspected criminals.
In order for a software vendor to work with e.g. a city’s local prison system, engineers on these accounts are required to provide their personal data – including civil registration numbers – to CJIS for background checks. This is similar to what clearing tech workers must achieve to work with federal agencies, known as FedRAMP.
But unlike FedRAMP, clients like the NYPD can add additional requirements – such as preventing anyone who has filed for bankruptcy from working on the account – that make the CJIS process more ad hoc. This prevented Salesforce from being able to roll out a standardized process, sources say.
“Trust is our most important value and we take the protection of our customers’ data very seriously. The protection of customer data includes compliance with various regulatory programs, such as the Criminal Justice Information Services (CJIS) security policy, which may impose additional requirements on Salesforce employees,” he said. a Salesforce gatekeeper in an email.
After receiving a detailed overview of the reporting in this story, the spokesman declined to comment further.
CJIS on the brain
Diving into CJIS-related work is part of a larger effort by Salesforce to win more public business, including top-secret work with agencies like the State Department. The company has at least 12 pending agreements with CJIS-related customers, including the USDrug Enforcement Administration, according to a source familiar with the pipeline.
However, the company has struggled to encourage employee support for the later demands that come with its deeper push into the law enforcement industry. As a sign of the difficulties Salesforce is facing, neither the company nor the NYPD would confirm whether the deal discussed at the meeting last December is still active.
To win more customers in the public sector, Salesforce must prove that they can meet the demands of the NYPD and others. But the December effort set off alarm bells for some, which ultimately led to the relocation of more employees from the government’s cloud department due to refusals to sign the contract and submit their personal information, officials said. Salesforce declined to comment on employee issues.
With only a few hours to review a contract larger than “War and Peace,” some engineers pushed back. Salesforce executives ended up having to hold a town hall on Dec. 13 to answer questions from employees, sources said.
Engineers were asked to fill out what corresponded to reservation forms, the sources said, including indicating any visible tattoos or scars.
In the end, the workers had more time to review and sign the contract. But some employees questioned the urgent schedule circulated by Salesforce. For example, the documents contained the signature of a manager who had left months before, indicating that Salesforce had long anticipated this confrontation, according to a source, and a Slack channel to which employees had access showed conversations with managers who discussed the mandate pending several months earlier.
Many of the questions from the employees were about how their information would be used, the protocols to protect them, how long they would be kept and ultimately whether this would open them up to unnecessary credit or background checks. Salesforce, sources said, gave few answers.
The other conspicuous problem with CJIS, they argued, is that each potential client may have a separate list of additional information requirements and subsequent requests that may prevent a person from working on the account. FedRAMP, on the other hand, has a uniform list of requirements that must be met by all companies.
It’s also a problem that some rivals – and close partners – do not have. Other vendors, namely cloud providers, are unlikely to need to submit employee information to the CJIS system even if they work with similar customers. In fact, AWS, Microsoft, and Google have mostly implemented stricter protections that prevent their own employees from accessing customer information.
“Cloud service personnel have hardly unaccompanied access to unencrypted criminal information,” an FBI spokesman told Protocol. Spokesmen for AWS, Microsoft, and Google Cloud did not respond to further emails.
However, Salesforce engineers can access this data to help with maintenance and support, according to a source familiar with its internal functions. It is also difficult to prevent engineers from accessing specific accounts, as the various systems all share the underlying infrastructure that makes it difficult to install such firewalls, the sources say. However, Salesforce is trying to move some self-hosted programs to FedRAMP systems owned and managed by AWS, according to one source.
Third time is the charm
The NYPD had strict rules for who could work on the account. For example, anyone who committed a felony in motion that could be punished with a fine of more than $ 300 or filed for bankruptcy was barred from working with the client, sources said.
Some employees immediately refused. At the same time, it was not a new wish for many in the room.
Salesforce had tried a similar move twice before, sources say: once, in 2017, with Philadelphia jail wards, and another time, years later, for a client who could not be verified independently of protocol.
The contract with the Philadelphia Department of Prisons fell to the ground under employee opposition. Engineers were asked to fill out what corresponded to reservation forms, the sources said, including indicating any visible tattoos or scars. Since Salesforce employees were technically contractors, this was the only way for the prison system to process the necessary background and credit checks.
However, a spokesman for the Philadelphia Department of Prisons denied that was the reason the agreement fell apart.
“The contract was not terminated because the employees objected to giving their personal information to CJIS,” they said in an email. The spokesman declined to comment further, citing ongoing lawsuits with the company. Salesforce declined to comment.
But it is clear that the company may not have been prepared for the resistance of the employees.
One of the CJIS requirements is, for example, employee fingerprints. Salesforce suggested storing the fingerprints of all relevant employees on a separately encrypted laptop. This combined with a signed employee agreement would then make it easier for the company to deliver its employee data to future customers. Engineers, however, saw it differently and pushed back. The idea was eventually scrapped.
Pushing to land the NYPD – as well as hiring for related roles – is a clear sign that Salesforce is eager to win more law enforcement business. Salesforce is also trying to increase its work with other federal agencies. For example, the company is currently recruiting for a position at “Project Blackjack”, Salesforce’s code name for a top secret initiative with the State Department.
Efforts to deepen the law enforcement industry come at an interesting time for Salesforce. The employees go public with their disappointment over the company’s work with the NRA after the Uvalde shooting. And with law enforcement’s reputation tarnished for something that cannot be repaired, Salesforce’s growth ambitions may once again clash with its beloved cultural values.