Wednesday, March 9, 2016

ALERT: Reject the DHS Proposal

As part of the rulemaking process, the Department of Homeland Security (DHS) has proposed to exempt its information systems in the National Insider Threat Program from the Privacy Act requirements for criminal, civil, and administrative enforcement. (http://1.usa.gov/1QuPpom)

We should reject it in total.

What does the proposal mean?

The U.S. government has been moving swiftly to implement the National Insider Threat Program under a Presidential Executive Order since 2010.   Under this mandate, federal departments and agencies with classified networks are directed to establish insider threat detection and prevention programs.  Insider threats include: Attempted or actual espionage, subversion, sabotage, terrorism, or extremist activities; unauthorized use or hacking of information systems; unauthorized disclosure of classified or proprietary information or technology; and indicators of potential insider threats (undefined).

Who are the “insiders?”

Current or former federal employees, contractors, or detailees with access to secured systems and classified information are ostensibly within the scope.  So are other authorized individuals who access related facilities, equipment, and information.  According to the DHS docket (http://1.usa.gov/1paWlRl), they also cover family members, dependents, relatives, and individuals with a personal association to an individual under investigation, as well as witnesses and other individuals who provide statements or information related to an inquiry.  In total, tens of millions of individuals are potentially covered as insiders under the national program.

What are “secured systems and classified information?”

The answer is elusive because there is no central control or consistent rule in the government.  A simple statistic such as the total number of ongoing economic espionage investigations is a national secret according to the FBI.  What is classified as secret by one federal agency may be simultaneously circulated widely and openly by another agency.  Furthermore, information that has been unclassified for many years can be retroactively reclassified to be secret without explanation, as exemplified recently by the emails of former Secretaries of State.

What is collected and contained in the National Insider Threat Program information systems?

According to the DHS docket, the categories of records are extensive on each individual, including but not limited to personal and biometric data, ethnicity and race, letters and emails, social media accounts, logs of computer activities, travel records and foreign contacts, and information provided by individuals who report known or suspected insider threats. 

On the last point, the U.S. government has reportedly been requiring “federal employees to keep closer tabs on their co-workers and exhorts managers to punish those who fail to report their suspicions” under the National Insider Threat Program (http://bit.ly/1i3VTzA).   Others observed that such unfettered practice of using unreliable source had been tried during the Cold War to search for Soviet spies and did not work, but they led to the investigations of hundreds of loyal government workers, mostly of Eastern European origin, and ruined the careers of many (http://bit.ly/1MLfTj9).   A similar approach by a U.S. senator of making accusations of subversion or treason against anyone “un-American” without proper regard for evidence is now termed “McCarthyism” in today’s dictionary.    

The Privacy Act of 1974 provides fair principles to govern the government’s collection, maintenance, use and dissemination of personally identifiable individual records.  With possible exceptions, such as for law enforcement or statistical purposes, the Privacy Act safeguards individual privacy from the misuse of federal records by requiring written consent of an individual before the government agency may disclose the personal record, even if it is to share with another federal agency.  It also grants an individual access to his or her own federal records. 

The DHS has already been collecting and maintaining individual data under the National Insider Threat Program.  By citing criminal, civil, and administrative enforcement needs, the DHS proposes exemptions from the Privacy Act so that it can avoid accounting for disclosure, deny an individual from accessing his or her own records, collect and retain information about an individual regardless of relevancy or accuracy, and waive the requirement to serve notice to the individual when such information is collected or used.

The Story of Sherry Chen

Sherry Chen is a naturalized U.S. citizen and a federal employee.  She has been an exemplary, award-winning hydrologist working in the National Weather Service until a co-worker in the U.S. Army Corps of Engineers identified her as a “Chinese National” attempting to access confidential information, which was in fact publicly available (http://bit.ly/1Mr5kHN, page 7). 

Sherry was arrested and indicted in October 2014, accused of spying for China, the nation of her birth.  Without credible evidence to proceed, the government dropped her case in March 2015 before her trial was to begin.

Whether it was coincidence or not, the informer was promoted into the National Oceanic and Atmospheric Administration which oversees the National Weather Service.  Sherry was not allowed to return to her job and has been placed on administrative leave at taxpayers’ expense for the past year.  To add insult to injury, the National Weather Service initiated the process to terminate Sherry’s employment in September 2015, using the same allegations in the failed prosecution.  Her appeal is still pending after six months.

The government has so far refused to provide an explanation of what happened or an apology for its action, despite numerous media editorials, congressional inquiries, and petitions led by Nobel laureates and community and professional organizations (http://bit.ly/AAProfiling). 

Reject the DHS Proposal

The story of Sherry Chen is not an isolated incident.

Racial discrimination and ethnic profiling have been a large part of American history.  They have not disappeared.  In its current zeal to find and prosecute insider threats, the government seems to consider the protection of some innocent Americans to be only secondary.  Lack of accountability permits rush to judgment and potential misuse and abuse of authority without consequences. 

The Federation of American Scientists has already submitted a comment on the DHS proposal that in case of adverse actions, an accused individual should be given at least a summary of the information used against him or her and be allowed to challenge the allegations as a matter of due process.

Whereas

·       Tens of millions of Americans may be covered as insiders under the National Insider Threat Program
·       Massive amounts of data and information are being collected on each of the individuals that may be inaccurate, unreliable, or retroactively modified
·       Federal investigations are subject to human mistakes, errors from using unreliable information, misunderstanding, misguided direction, and illegal profiling
·       Present safeguards have failed and allowed flawed investigations to proceed to wrongful prosecutions 
·       There is no statistical and objective third-party monitoring in place to provide accountability and prevent misuse and abuse of authority

The DHS proposal, as it stands, presents high risks that innocent individuals will be falsely accused and subject to unjust and damaging investigations and prosecutions with no recourse.  These risks are even higher under today’s turbulent political climate where traditional American values are questioned or even refuted. 

Therefore, the DHS proposal should be rejected in total in its present form.

For an alternative proposal to be considered potentially acceptable,
  • An individual should be allowed to review at least a summary of his or her security file upon request
  • An individual should be allowed full access to his or her security file as part of due process upon investigation or when accused of wrongdoing
  • Irrelevant and inaccurate records must be purged from the individual’s records when their status becomes clear
  • The government must produce publicly available statistical summaries on the status and trends of the information systems, including but not limited to the number of individuals covered and the number of ongoing investigations with breakdowns by protected civil rights factors
  • Regular third-party monitoring and review of the inherent policies and practices, such as Congressional hearings or public-private commissions, must be fully established 

Comments on the DHS proposal can be submitted online by individuals or organizations at http://1.usa.gov/1QuPpom.  The comment period ends on March 28, 2016.


This is a personal blog not associated with any organizations.