The quick signatures were necessary if the software giant wanted to move forward with a new law enforcement client: the New York City Police Department, according to people familiar with the case and according to emails reviewed by Protocol. An NYPD spokesperson did not respond to multiple requests for comment.
“We apologize for the tight deadline and realize we are asking for your help this weekend,” former trust manager Jim Alkove wrote to employees.
The signatures were also necessary for employees to continue working for the civil service. The warning from the top was clear: if you don’t sign, you have to move to another department.
The document in question addressed a undisclosed hurdle the tech industry faces with clients such as the NYPD: Criminal Justice Information Services, or CJIS, a division of the FBI that stores fingerprints, documents, and other data and evidence, among other law enforcement activities, in order to history of suspected criminals.
For a software vendor to work with, say, a city’s local prison system, technicians from those accounts must provide their personal information, including Social Security numbers, to CJIS for background checks, criminal and credit history. It’s similar to the approval tech workers must get to work with federal agencies, known as FedRAMP.
But unlike FedRAMP, clients like the NYPD can add additional requirements — such as excluding someone who has filed for bankruptcy from working on the account — that make the CJIS process more ad hoc. This prevented Salesforce from rolling out a standardized process, sources say.
“Trust is our most important value and we take the protection of our customers’ data very seriously. Protecting customer data includes compliance with various regulatory programs, such as the Criminal Justice Information Services (CJIS) security policy, which may place additional requirements on Salesforce employees,” a Salesforce gatekeeper said in an emailed statement.
After receiving a detailed review of the coverage in this story, the spokesperson declined to comment further.
CJIS on the brain
The plunge into CJIS-related work is part of a larger effort by Salesforce to win more government contracts, including top-secret work with agencies like the State Department. The company has at least 12 pending deals with CJIS-related clients, including the US Drug Enforcement Administration, according to a source familiar with the pipeline.
However, the company has struggled to drive employee support for the later demands that come with its deeper pressure on the law enforcement industry. In a sign of the difficulties Salesforce faces, neither the company nor the NYPD would confirm whether the deal discussed at last December’s meeting is still active.
To win more public sector customers, Salesforce must prove that it can meet the requirements set by the NYPD and others. But December’s efforts set off alarm bells for some, ultimately leading to the relocation of several employees from the government’s cloud division over refusals to sign the contract and submit their personal information, officials said. Salesforce declined to comment on employee-related issues.
With just a few hours to revise a larger contract than “War and Peace”, some engineers pushed back. Salesforce executives eventually had to hold a town hall on Dec. 13 to answer questions from employees, the sources said.
Engineers were asked to fill out what amounted to booking forms, the sources said, including a list of any visible tattoos or scars.
In the end, the workers had more time to review and sign the contract. But some employees question the urgent schedule distributed by Salesforce. For example, the documents contained the signature of an executive who had left months earlier, indicating that Salesforce had anticipated this confrontation for a long time, according to a source, and a Slack channel that employees had access to showed conversations from executives discussing the mandate pending. from several months earlier.
Many of the employees’ questions centered on how their information would be used, the protocols to protect it, how long it would be kept and, ultimately, whether this would expose them to false credit or background checks. Salesforce, sources said, gave few answers.
The other glaring problem with CJIS, they argued, is that each potential customer can have a separate list of additional information requirements and subsequent requests that could prevent a person from working on the account. FedRAMP, on the other hand, has a unified list of requirements that all companies must meet.
It’s also a problem some rivals – and close partners – don’t have. Other vendors, namely cloud providers, are likely not required to submit employee information to the CJIS system, even if they work with similar clients. Indeed, for the most part, AWS, Microsoft and Google have implemented tighter protections that prevent their own employees from accessing customer information.
“Cloud service personnel are unlikely to have unsupervised access to unencrypted criminal information,” an FBI spokesperson told Protocol. Spokespersons for AWS, Microsoft and Google Cloud did not respond to multiple email inquiries.
However, Salesforce engineers can access this data to help with maintenance and support, according to a source familiar with its inner workings. Preventing technicians from accessing specific accounts is also difficult, as the different systems all share an underlying infrastructure that makes it difficult to install such firewalls, the sources say. However, according to one of the sources, Salesforce is trying to move some self-hosted programs to FedRAMP systems owned and operated by AWS.
The third time is the charm
The NYPD had strict rules about who could work on the account. For example, anyone who has committed a motion-related offense punishable by a fine of more than $300 or has filed for bankruptcy may not work with the client, sources said.
Some employees were immediately shocked. At the same time, this was not a new request for many in the room.
Salesforce had attempted a similar move twice before, sources say: once, in 2017, with the Philadelphia prison wards, and another time, years later, for a customer who could not be independently verified by Protocol.
The Philadelphia Department of Prisons contract fell through due to worker resistance. Engineers were asked to fill out what amounted to booking forms, the sources said, including a list of any visible tattoos or scars. Since Salesforce employees were technically contractors, this was the only way for the prison system to process the necessary background and credit checks.
A spokesman for the Philadelphia Department of Prisons, however, denied that that’s why the deal failed.
“The contract was not terminated because the employees objected to providing their personal information to CJIS,” they said in an emailed statement. The spokesperson declined to comment further, citing pending lawsuits with the company. Salesforce declined to comment.
But it’s clear the company may not have been prepared for employee resistance.
One of the requirements of the CJIS is, for example, taking fingerprints of employees. Salesforce suggested keeping all applicable employee fingerprints on a separate encrypted laptop. This, coupled with a signed employee agreement, would make it easier for the company to provide its employee data to prospective customers. Engineers, however, saw it differently and pushed back. The idea was eventually scrapped.
The pressure to bring in the NYPD — as well as to hire people for related positions — is a clear sign that Salesforce is eager to bring in more law enforcement cases. Salesforce is also trying to ramp up its work with other federal agencies. For example, the company is currently recruiting for a position in “Project Blackjack,” Salesforce’s codename for a top-secret initiative with the State Department.
The effort to deepen the law enforcement industry comes at an interesting time for Salesforce. Employees are going public after the shooting in Uvalde expressing their disappointment at the company’s work with the NRA. And with law enforcement’s reputations irreparably tarnished for some, Salesforce’s growth ambitions could once again clash with cherished cultural values.