As part of the rulemaking
process, the Department of Homeland Security (DHS) has proposed to exempt its
information systems in the National Insider Threat Program from the Privacy Act
requirements for criminal, civil, and administrative enforcement. (http://1.usa.gov/1QuPpom)
We should reject it in total.
What does the proposal mean?
The U.S. government has been moving
swiftly to implement the National Insider Threat Program under a Presidential Executive
Order since 2010. Under this mandate, federal departments and
agencies with classified networks are directed to establish insider threat
detection and prevention programs. Insider
threats include: Attempted or actual espionage, subversion, sabotage, terrorism,
or extremist activities; unauthorized use or hacking of information systems;
unauthorized disclosure of classified or proprietary information or technology;
and indicators of potential insider threats (undefined).
Who are the “insiders?”
Current or former federal
employees, contractors, or detailees with access to secured systems and
classified information are ostensibly within the scope. So are other authorized individuals who
access related facilities, equipment, and information. According to the DHS docket (http://1.usa.gov/1paWlRl), they also cover family
members, dependents, relatives, and individuals with a personal association to
an individual under investigation, as well as witnesses and other individuals
who provide statements or information related to an inquiry. In total, tens of millions of individuals are
potentially covered as insiders under the national program.
What are “secured systems and
classified information?”
The answer is elusive because
there is no central control or consistent rule in the government. A simple statistic such as the total number
of ongoing economic espionage investigations is a national secret according to
the FBI. What is classified as secret by
one federal agency may be simultaneously circulated widely and openly by
another agency. Furthermore, information
that has been unclassified for many years can be retroactively reclassified to
be secret without explanation, as exemplified recently by the emails of former
Secretaries of State.
What is collected and contained
in the National Insider Threat Program information systems?
According to the DHS docket, the
categories of records are extensive on each individual, including but not
limited to personal and biometric data, ethnicity and race, letters and emails,
social media accounts, logs of computer activities, travel records and foreign
contacts, and information provided by individuals who report known or suspected
insider threats.
On the last point, the U.S.
government has reportedly been requiring “federal employees to keep closer tabs
on their co-workers and exhorts managers to punish those who fail to report
their suspicions” under the National Insider Threat Program (http://bit.ly/1i3VTzA). Others
observed that such unfettered practice of using unreliable source had been
tried during the Cold War to search for Soviet spies and did not work, but they
led to the investigations of hundreds of loyal government workers, mostly of
Eastern European origin, and ruined the careers of many (http://bit.ly/1MLfTj9). A
similar approach by a U.S. senator of making accusations of subversion or
treason against anyone “un-American” without proper regard for evidence is now
termed “McCarthyism” in today’s dictionary.
The Privacy Act of 1974 provides
fair principles to govern the government’s collection, maintenance, use and
dissemination of personally identifiable individual records. With possible exceptions, such as for law
enforcement or statistical purposes, the Privacy Act safeguards individual
privacy from the misuse of federal records by requiring written consent of an
individual before the government agency may disclose the personal record, even
if it is to share with another federal agency.
It also grants an individual access to his or her own federal records.
The DHS has already been
collecting and maintaining individual data under the National Insider Threat
Program. By citing criminal, civil, and
administrative enforcement needs, the DHS proposes exemptions from the Privacy
Act so that it can avoid accounting for disclosure, deny an individual from
accessing his or her own records, collect and retain information about an
individual regardless of relevancy or accuracy, and waive the requirement to
serve notice to the individual when such information is collected or used.
The Story of Sherry Chen
Sherry Chen is a naturalized U.S.
citizen and a federal employee. She has
been an exemplary, award-winning hydrologist working in the National Weather
Service until a co-worker in the U.S. Army Corps of Engineers identified her as
a “Chinese National” attempting to access confidential information, which was
in fact publicly available (http://bit.ly/1Mr5kHN, page 7).
Sherry was arrested and indicted
in October 2014, accused of spying for China, the nation of her birth. Without credible evidence to proceed, the
government dropped her case in March 2015 before her trial was to begin.
Whether it was coincidence or
not, the informer was promoted into the National Oceanic and Atmospheric
Administration which oversees the National Weather Service. Sherry was not allowed to return to her job
and has been placed on administrative leave at taxpayers’ expense for the past
year. To add insult to injury, the
National Weather Service initiated the process to terminate Sherry’s employment
in September 2015, using the same allegations in the failed prosecution. Her appeal is still pending after six months.
The government has so far refused
to provide an explanation of what happened or an apology for its action, despite
numerous media editorials, congressional inquiries, and petitions led by Nobel
laureates and community and professional organizations (http://bit.ly/AAProfiling).
Reject the DHS Proposal
The story of Sherry Chen is not
an isolated incident.
Racial discrimination and ethnic profiling
have been a large part of American history.
They have not disappeared. In its
current zeal to find and prosecute insider threats, the government seems to consider the protection of some innocent Americans to be only secondary. Lack of accountability permits rush to
judgment and potential misuse and abuse of authority without consequences.
The Federation of American
Scientists has already submitted a comment on the DHS proposal that in case of
adverse actions, an accused individual should be given at least a summary of
the information used against him or her and be allowed to challenge the
allegations as a matter of due process.
Whereas
· Tens of millions of Americans may
be covered as insiders under the National Insider Threat Program
· Massive amounts of data and
information are being collected on each of the individuals that may be
inaccurate, unreliable, or retroactively modified
· Federal investigations are
subject to human mistakes, errors from using unreliable information, misunderstanding,
misguided direction, and illegal profiling
· Present safeguards have failed
and allowed flawed investigations to proceed to wrongful prosecutions
· There is no statistical and objective
third-party monitoring in place to provide accountability and prevent misuse
and abuse of authority
The DHS proposal, as it stands, presents
high risks that innocent individuals will be falsely accused and subject to unjust
and damaging investigations and prosecutions with no recourse. These risks are even higher under today’s
turbulent political climate where traditional American values are questioned or
even refuted.
Therefore, the DHS proposal
should be rejected in total in its present form.
For an alternative proposal to be
considered potentially acceptable,
- An individual should be allowed to review at least a summary of his or her security file upon request
- An individual should be allowed full access to his or her security file as part of due process upon investigation or when accused of wrongdoing
- Irrelevant and inaccurate records must be purged from the individual’s records when their status becomes clear
- The government must produce publicly available statistical summaries on the status and trends of the information systems, including but not limited to the number of individuals covered and the number of ongoing investigations with breakdowns by protected civil rights factors
- Regular third-party monitoring and review of the inherent policies and practices, such as Congressional hearings or public-private commissions, must be fully established
Comments on the DHS proposal can
be submitted online by individuals or organizations at http://1.usa.gov/1QuPpom.
The comment period ends on March 28, 2016.
This is a personal blog not
associated with any organizations.
