Homeland Security Watch

“That the individual shall have full protection in person and in property is a principle as old as the common law; but it has been necessary from time to time to define anew the exact nature and extent of such protection…

Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls the right… “to be let alone…“

– Samuel D. Warren and Louis D. Brandeis, THE RIGHT TO PRIVACY, 4 Harvard Law Review 193 (1890)

Spencer Hsu of the Washington Post reports today that 28 groups and individuals belonging to the Privacy Coalition are calling for Congress to investigate the Department of Homeland Security’s Privacy Office. The Coalition, in a letter to House Homeland Security Committee, questioned the adequacy of the Office’s work, especially as it relates to the following technologies:

• Fusion Centers and the Information Sharing Environment
• Whole Body Imaging
• Closed-Circuit Television (CCTV) Surveillance
• Suspicionless Electronic Border Searches

The group seems to be most concerned with the Privacy Officer’s first responsibility, under Sec. 222(a) of the Homeland Security Act, to assure that “the use of technologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information.”   The group also finds fault with the Office’s certifications for exemptions to its obligations under the Privacy Act.

The letter’s premise is interesting in that it furthers the privacy versus security rhetoric that has permeated homeland security.  Rather than noting how the two can co-exist, the letter places each against other, with little room for mitigation or reinforcement — which is at odds at how the Homeland Security Act – rightly or wrongly- put together the Privacy Office’s responsibilities.

The Coalition notes that the Department’s Privacy Compliance Group “manages statutory and policy-based responsibilities by working with each component and program throughout the Department to ensure that privacy considerations are addressed when implementing a program, technology, or policy.”  The letter discusses the Compliance process and then criticizes the Department for focusing its efforts on Privacy Impact Assessments to assure that implementing programs build in privacy protections.   That said, it admits that the assessment process is a possible avenue for the Department to protect privacy and then proceeds to criticize the agency for not providing enough examples in an annual report, even though every PIA is listed.

If the Privacy Office is doing all of the above-  it is doing its job.  The Coalition, it would seem, is requesting, in part, that programs be dismantled.  For example,the letter’s section on whole body imaging  suggests that the technology itself is the problem, not the assessment of what privacy measures should be in place.  According to TSA and the Privacy Office’s assessments, TSA has put in place privacy protections regarding the use, collection and disclosure of personal information in the case of whole body imaging.  According to TSA’s website, the following procedures are in place:

• The officer who assists the passenger never sees the image the technology produces.
• The officer who views the image is remotely located, in a secure resolution room and never sees the passenger.
• To further protect passenger privacy, millimeter wave technology blurs all facial features and backscatter has an algorithm applied to the entire image.
• The two officers communicate via wireless headset. Once the remotely located officer determines threat items are not present, that officer communicates wirelessly to the officer assisting the passenger. The passenger may then to continue through the security process.
• This state-of-the-art technology cannot store, print, transmit or save the image. In fact, all machines are delivered to airports with these functions disabled.
• Officers evaluating images are not permitted to take cameras, cell phones or photo-enabled devices into the resolution room.
• Each image is automatically deleted from the system after it is cleared by the remotely located security officer

If the Privacy Office evaluated the program during its implementation and worked with TSA to require these protections, hasn’t its statutory duty been met?  The Coalition suggestions on the Privacy Office’s responsibilities would require a reinterpretation of the statutory language so as to delete the “protections relating to the use, collection, and disclosure of personal information.”  The Coalition, it seems, would have  the Privacy Office be both judge and jury in deciding whether technologies in and of themselves “erode” privacy in the broadest sense.  That, however, is not the Privacy Office’s mandate.

Don’t get me wrong, the letter does raise some legitimate issues that the Privacy Office does need to address.  For example, in the section relating to Fusion Centers and Closed-Circuit Television (CCTV) Surveillance, it suggests that the Privacy Office should have pushed harder for mandatory privacy protections, rather than guidelines and voluntary efforts.   To the degree DHS has procurement, grant, and partnering decisions over such programs, then  stronger protections should be pursued.

In its closing the letter notes that if DHS’s internal privacy office cannot “protect the privacy of American citizens, through investigation and oversight” then “the situation calls for an independent office that can truly evaluate these programs and make recommendations in the best interests of the American public.” The Privacy Office’s mission, as envisioned by the Homeland Security Act, is not that of an independent voice. That voice was created in the 2004 Intelligence Reform Act with the creation of the Privacy and Civil Liberties Oversight Board, which is neither staffed nor active.  That is where the Privacy Coalition should be focusing its attention.

Indeed, in a letter today, Rep.  Jane Harman and Sen. Susan Collins rightly raised concerns with President Obama re the delayed status of nominations to that board.  That independent board is the watchdog for evaluating the privacy in the programs that the Privacy Coalition has raised.  Its mission includes

in providing advice on proposals to retain or enhance a particular governmental power, consider whether the department, agency, or element of the executive branch concerned has explained—

(iii) that the need for the power, including the risk presented to the national security if the Federal Government does not take certain actions, is balanced with the need to protect privacy and civil liberties.

Notably this responsibility is not included in DHS’ Privacy Office job description. Rather than re-interpreting the DHS Privacy Office’s role or creating ANOTHER independent body – the focus should be on getting the Privacy and Civil Liberties Oversight Board in place so that a voice exists to help the government  to determine when security and our “right to be left alone” clash and what steps need to be taken to assure that our nation is secure and our fundamental values and rights are protected.

The last couple of weeks I’ve been trying to assess what really happened at Ft. Lewis, Washington. 

Maybe you’ve already heard about John Towery (aka John Jacob), an Army employee, who has been accused of spending two or three years undercover to gather intelligence on Seattle-Tacoma area anti-war organizations.  Mr. Towery is a civilian member of the Ft. Lewis “Force Protection Division” or base security team.  Whether he was free-lancing or operating under orders is an important — and as yet unanswered — question.  (See news stories listed at end of this post.)

Jeff Stein at Congressional Quarterly writes that  Mr. Towery’s, “reports on antiwar groups were going to the Washington Joint Analytical Center, a partnership of local and state police, the FBI and the federal Department of Homeland Security.”

Anjali Kamat with Democracy Now! (see below) broke the story on July 28.  According to the original report, “The activists claim Towery has admitted to them he shared information with an intelligence network that stretches from local and state police to several federal agencies, to the US military.”

–+–

Evidence-based policing is really common sense policing.  You pay attention to what is happening — you give particular attention to known precursors — and you intervene early to prevent or mitigate outbreaks.

This is essentially the application of  epidemiology to law enforcement.  Malcolm Gladwell makes this connection especially clear in The Tipping Point.

Intelligence-led policing is — or can be – the application of active surveillance and early intervention to prevent catastrophic events.  With clear protocols, effective training, and principled supervision such proactive practices can protect and serve communities… and the Constitution.

But we can forget — or more often, neglect — the self-restraint, discipline, external checks and structural balances needed to avoid  the risk of caretakers becoming carriers of the disease they seek to prevent… or something even worse.

Before 1867 most surgeons did not wash their hands.  As they moved from one patient to another the germs they spread probably killed more than their surgery saved.  Their intentions were noble and pure.  Their hands were bloody, both literally and figuratively.

We don’t know — yet — what happened at Ft. Lewis.  But if anyone associated with the military was involved in any aspect of domestic intelligence-gathering, there should have been the strictest of antiseptic – actually prophylactic – protocols. 

Instead it sounds like someone wasn’t even using soap and singing happy birthday.

News Coverage:

Declassified docs reveal military operative spied on WA peace groups (Democracy Now!)

Olympia anti-war group says Fort Lewis employee a spy (The News-Tribune)

Army looking into monitoring of protest groups (New York Times)

Turning the US army against Americans (The Guardian)

James von Brunn, the alleged assailant in yesterday’s  fatal shooting of Stephen Johns at the Holocaust museum, has a long history of racist, anti-semitic, anti-government speech and action.  Would he have been a proper target for law enforcement intelligence gathering?

Mr. von Brunn is an 88 year-old,  military veteran with a prolific and, until today,  easy-to-access collection of writings attesting to his hatred of certain groups.  Many of these writings and rambling threats have been available at www.holywesternempire.org.  This morning the URL  announces: “HTTP 403 Forbidden.”  He is the author of a 1999 book entitled, Kill the Best Gentiles.

The Southern Poverty Law Center has listed Mr. von Brunn’s website among its large collection of “hate sites.”  The Anti-Defamation League has also monitored Mr. von Brunn. (See more from USA Today.) Would it be appropriate for local, State, or federal law enforcement agencies to collect and store similar information? Or does such information fall within the constitutional provisions of protected speech?

Arguably the most common legal standard for answering the question is 28 CFR, part 23 (or Title 28 of the Code of Federal Regulations, part 23).  This regulation was established, in part, to counter abuse of protected speech by law enforcement agencies in the 1960s and 1970s.

The core legal standard for gathering, collecting, and sharing information (or not) is set out as follows.

§ 23.20 Operating principles. (a) A project shall collect and maintain criminal intelligence information concerning an individual only if there is reasonable suspicion that the individual is involved in criminal conduct or activity and the information is relevant to that criminal conduct or activity. (b) A project shall not collect or maintain criminal intelligence information about the political, religious or social views, associations, or activities of any individual or any group, association, corporation, business, partnership, or other organization unless such information directly relates to criminal conduct or activity and there is reasonable suspicion that the subject of the information is or may be involved in criminal conduct or activity. (c) Reasonable Suspicion or Criminal Predicate is established when information exists which establishes sufficient facts to give a trained law enforcement or criminal investigative agency officer, investigator, or employee a basis to believe that there is a reasonable possibility that an individual or organization is involved in a definable criminal activity or enterprise. In an interjurisdictional intelligence system, the project is responsible for establishing the existence of reasonable suspicion of criminal activity either through examination of supporting information submitted by a participating agency or by delegation of this responsibility to a properly trained participating agency which is subject to routine inspection and audit procedures established by the project.

 In the case of Mr. von Brunn was there reasonable suspicion?  How about criminal predicate?  Were there a sufficient number of “trained law enforcement or investigative agency” personnel assigned to establish reasonable possibility?

I am not a trained law enforcement officer.  But I sometimes train such officers.  If I had, before yesterday’s attack, read Mr. von Brunn’s writings, I would not have perceived strong grounds for ”reasonable suspicion.”  I would have had difficulty reading much of the hate-filled, often turgid prose and would have quickly moved on to other targets of concern. (Even last evening, with the day’s events underlining the potential importance, it was a slog to read.)

If for some reason I was motivated to do additional research, I might have established “criminal predicate.”  In 1983 von Brunn was convicted of several charges and imprisoned for an armed attempt to “arrest” Paul Volcker and other members of the Federal Reserve Board.  But even with criminal predicate in hand, given the quarter-century elapsed and the age of the suspect, it is unlikely I would have established  “reasonable possibility.”

Which would have done nothing to save the life of Stephen Johns and — if not for the response of Mr. Johns and other security guards — my inaction could have led to the death and injury of many others at the museum.

I am not arguing for an easy answer.  I am suggesting the need to wrestle with a very tough question.  We can invest so much in defending pre-established positions that, too often, there is little energy left for crafting an imperfect, but principled solution.

Related background:

Russell Porter testimony: Report Card on Homeland Security Information Sharing

Practical Guide to Intelligence Led Policing

Intelligence Led Policing: New Intelligence Architecture

The Constitution Project: Liberty and Security

America’s growing surveillance state

Intelligence Agency Does Not Distinguish Between Terrorism and Peace Activism

(This event’s connection with the withdrawn DHS report on right-wing extremism is covered by Ed O’Keefe in this morning’s Eye Opener. And if you are looking for evidence of the energy invested in defending pre-established positions, check out the comments on O’Keefe’s report.)

UPDATE:

Museum Suspect’s Writings Had Not Triggered a Probe (Washington Post)

Shootings show threat of ‘lone wolf’ terrorists (Associated Press)

UPDATE: The House Homeland Security Committee adopted an amended Resolution 404.  An archived webcast of about 40 minutes and related correspondence is available at: http://homeland.house.gov/Hearings/index.asp?ID=193

I am not certain, but I perceive the amendment as adopted undertakes to achieve the same functional results as the original proposal — accessing source documentation — but without utilizing a Resolution of Inquiry, what is sometimes called a legislative “nuclear option.”  (Please see the House Rules regarding a Resolution of Inquiry.)

Since this quick update on Tuesday several authorities on the rules and rituals of the House of Representatives have confirmed my interpretation of what happened in the Committee.  Making sense of liver and gallbladder entrails can sometimes be a challenge even when fully displayed. (Please see haruspices)

- + -

This morning the House Homeland Security Committee will consider a proposed Resolution of Inquiry (pdf).  If adopted this would require the Department of Homeland Security to release internal documents related to a DHS intelligence product entitled: Rightwing Extremism: Current Economic and Political Climate Fueling Resurgence in Radicalization and Recruitment.

(A copy of the report and the context for it’s original release is available by accessing a prior HLSwatch post.)

A Resolution of Inquiry is a rarely used procedure that requires prompt Committee consideration.  In this instance the proposed resolution is unlikely to be adopted.  Committee Chairman Bennie Thompson has characterized the action as a “GOP stunt.” News reports suggest the Chairman will offer an alternative approach.

The DHS intelligence product, since withdrawn, often indulges in over-broad generalization and fails to support its claims with much evidence.  Criticism of the DHS intelligence product often indulges in over-broad generalization and prefers to ignore evidence that might support the report’s claims.

Last week Secretary Napolitano, responding to questions on the matter during her budget testimony, explained, “It was not authorized to be distributed. It had not even completed its vetting process within the department. It has been taken off of the intel web sites and the lexicon that went along with it was similarly withdrawn. Neither were authorized products, and we have now put in place processes. And it turned out there were really no procedures to govern what went out and what didn’t before, and now there are.”

Vetting outputs is different than ensuring rigorous inputs. In the heated response to the mediocre or worse intelligence product, not much light has been shed on the processes that led to its compilation.  I have heard the following explanations or speculation:

• The language and treatment was selected to match what the product’s consumers — mostly State and local law enforcement — would find helpful. (The phrase “dumbed-down” has unfortunately been used.)
• The language and treatment was chosen to highlight a threat some DHS analysts perceive has been given too little attention. (Well, if so,  lack of attention is no longer the biggest problem.)
• The language and treatment resulted from a rather thoughtless cut-and-paste job from various public sources of information. (For example, compare the contents of the report to Wikipedia’s entry on domestic terrorism.)

An important factor in the analytic anemia demonstrated by the rightwing extremism report is an over-dependence on foreign and military intelligence paradigms when doing domestic risk analysis.

Foreign and military intelligence operations usually have very different purposes than criminal intelligence or all-hazards risk analysis.  Foreign and military intelligence gathering is often covert; domestic analysis should usually be overt and open.  Moreover, inside the United States Constitutional  protections — especially those of the first and fourth amendments — apply in a way that foreign and military intelligence analysts do not need to consider.

From a policy perspective these important differences are widely recognized.  But in terms of education, training, information gathering  processes, analytical procedures, and information sharing the differences are much less well-defined.  Many domestic analysts — especially with classified clearances – have come to their positions from military intelligence operations.  Their extensive military training and experience tends to trump the very modest orientation they receive for their new domestic role.

The need for education and training is especially acute among State and regional fusion centers.  A 2008 GAO survey of fusion center leadership found, “challenges obtaining guidance and training. In particular, they (fusion center officials) cited the need for clearer and more specific guidance in a variety of areas, including standards for analyst training and information-sharing policies and procedures, to help address operational challenges.”

I have never encountered a public safety official who purposefully set-out to abuse the Constitution (I expect such individuals exist, but I have not met them).  I have, however, met plenty of public safety officials — and others — who have received almost no education or training related to Constitutional protections and equally modest preparation in critical assessment of information.

I don’t know — and don’t care — who is to blame for the DHS  report.  We should all care about improving the professional development of those charged with developing such reports.

——————————————–

More background:

A couple of “ancient texts” that may support the argument:

Intelligence Essentials for Everyone  (Joint Military Intelligence College) is an excellent primer on military intelligence, but consider what is missing if the same skills are applied to domestic targets and purposes.

Intelligence Led Policing: The New Intelligence Architecture (Department of Justice, Bureau of Justice Assistance) helps distinguish between foreign and military intelligence and criminal intelligence.  Expansion of these principles to an all-hazards — or all-risks — context is attempted by Catastrophe Preparation and Prevention for Law Enforcement Professionals  (self-promotion alert).

(The following is a guest feature. More information on the NAO and Peter J. Brown is available in a post immediately below)

Prodded by members of the House Homeland Security Committee in particular, Secretary of Homeland Security Janet Napolitano initiated a review of the National Applications Office (NAO) on April 1. Among other things, NAO is designated as the chief source of satellite imagery in support of homeland security, and, state, local, and tribal law enforcement operations.

NAO is overseen by the Under Secretary for Intelligence and Analysis / Chief Intelligence Officer at DHS. President Obama has nominated Philip Mudd to succeed Mr. Allen in this position.

“The NAO charter, signed by the Secretaries of Homeland Security, Defense, Interior, as well as the Director of National Intelligence and the Attorney General, certifies that the NAO complies with all existing laws, including all applicable privacy and civil liberties standards. The NAO is prepared to begin operations to support civil and Homeland security domains. This program is another step in the right direction to leverage geospatial intelligence as we work to secure the Homeland,” stated Mr. Allen last fall.

Last November, a report issued by the Government Accountability Office (GAO) — “National Applications Office: Certification of Compliance With Legal, Privacy, and Civil Liberties Standards Needs to Be More Fully Justified” — challenged that assertion and raised questions about unresolved legal and policy issues. Many members of Congress on both sides of the aisle, government watchdog and civil rights organizations remain unconvinced that a suitable set of checks and balances are in place so that the NAO can go about effectively processing requests for satellite imagery, and then either approving and rejecting them in turn in support of law enforcement operations — engaging in satellite surveillance while upholding an individual’s civil rights, right to privacy, and other legal rights under existing law.

DHS responded late last week to a number of questions, we posed in order to help determine where things stand now. Here are the unedited responses to our questions.

– What is the status of NAO Operations today?

The National Applications Office (NAO) has not yet initiated operations. Secretary Napolitano is reviewing all aspects of the NAO program. The NAO will not begin operations until the Secretary and the other four signatories (Secretaries of Defense and Interior, AG, DNI) to the NAO Charter have approved the NAO to do so.

– Questions have been raised about “DHS Earth” and how this
project overlaps with NAO. Has DHS examined this and what is the recommendation from DHS concerning this situation?

DHS Earth provides a “Google Earth” based platform for the provision of some general layers of information that are relevant to DHS agency use.

DHS Earth is solely a dissemination method and analytic tool for some uses and users. To the extent DHS Earth has controls in place to protect individual privacy, civil rights and civil liberties, it could provide a good dissemination means for some unclassified NAO products in the future, consistent with all other proper use requirements under law and policy.

By contrast, NAO was established to meet the needs of non-traditional intelligence users by facilitating access to national intelligence capabilities by such users. NAO will also provide analytical capabilities for the many non-traditional users who do not have such specialized capabilities themselves. As a component of the federal government, NAO is necessarily bound by applicable laws, regulations, policies and procedures as it performs its mission. These multiple layers of safeguards are designed to ensure that all NAO operations respect and preserve the privacy, civil rights and civil liberties of the American public.

– Regarding the NGA Support Team (NST) embedded within DHS which facilitates NGA’s collaboration with DHS, what role does – or will – the NAO play with the NST in developing an effective and elastic common operational picture (COP) for local law enforcement as part of the Homeland Security Information Network?

Through the NST, NGA will partner closely with NAO to support the information requirements of NAO customers. In addition, NGA has a long-standing history of providing geospatial intelligence to both federal government and non-federal government customers. It has well-established, time-tested procedures in place for ensuring that it meets its customer needs in the best way possible, within all legal and policy boundaries. Through the NST, NGA is sharing its corporate knowledge and experience with NAO to ensure that NAO also acts efficiently, legally, and properly in all its operations.

Under current law, NAO is precluded from working on law enforcement issues until the Secretary has certified that NAO meets all applicable privacy and civil liberties standards, and that certification has been reviewed by GAO, with results communicated to the Congress. NAO future plans are premised on handling customer requests and providing requested information through the mechanisms that customers use, and not creating new delivery methods. NGA, through the NST, will be a key partner in meeting that objective.

– And how does this COP-related activity relate or tie into broader efforts at DHS to ensure that layered geospatial visualization supports critical infrastructure protection at the local level via an open architecture-based and enterprise-based approach accessed across all components of DHS?

The National Operations Center (NOC) is in charge of the DHS COP. If the NOC requests geospatial support from the NAO, those requests will be handled consistent with all legal, privacy, and civil rights/civil liberties concerns and guidelines.

– Is the current satellite imagery analysis capability of the FEMA Mapping and Analysis Center deemed adequate? If not, what is being done to address this situation? How is the uncertainty surrounding NAO impacting FEMA in this regard?

NAO’s current status has not had a direct impact on FEMA’s capabilities because FEMA is directly serviced by NGA and others for current imagery needs.

– Can you comment on the status of the proposed shift of the Civil Applications Committee from Interior to DHS?

The Civil Applications Committee (CAC) itself will not shift from
Interior to DHS. The functions of the CAC will transition to the NAO, per the requirements of the NAO Charter. The NAO charter spells out that when these functions shift, the CAC and its Charter will sunset and the former CAC functions would be fully integrated into the NAO.

– Customs and Border Protection (CBP) issued an RFI for Multi-role Enforcement Aircraft (MEA) last year. Is there a mechanism in place whereby the imagery and other sensor data gathered by DHS aircraft or Unmanned Aerial System (UAS) is shared with local law enforcement?

The MEA and UAS programs fall under CBP – please contact the CBP Public Affairs office at 202-344-1780. (Update: In early May, CBP issued a Request for Proposal (RFP) for up to 40 MEA’s for use by CBP’s Air and Marine Office. The goal is to procure commercially-available turboprop aircraft primarily for maritime and ground surveillance missions as well as for tracking other aircraft. The RFP requests MEA support for other missions as well.)

– Is the growing conflict along the US – Mexico border changing the debate over NAO or triggering any discussion of possible changes to NAO or the (potential for) imagery-sharing raised in Question #8?

The Secretary has made no decision regarding NAO missions at this time.

Immediately following is a guest post by Peter J. Brown, a close observer of emergency communications and satellite operations at DHS and FEMA.   The post consists of questions Mr. Brown posed to the Department of Homeland Security about five weeks ago and the answers he received last  Friday. 

According to the official DHS backgrounder the National Applications Office, “is the executive agent to facilitate the use of intelligence community technological assets for civil, homeland security and law enforcement purposes within the United States.”  For more detailed background see the NAO Charter.

NAO has attracted scrutiny, skepticism, and more for the alleged use of satellites to spy on the American people.  Last July, Charlie Allen, former Director of the Office of Intelligence and Analysis, made a case for continuation of the NAO.

Peter J. Brown’s most recent published commentary on emergency communications and related matters appears in the October 2008 issue of  “Disaster Medicine & Public Health Preparedness“, a journal of the American Medical Association (subscription required).  He has also previously addressed the NAO and the National Emergency Communications Plan here at HLSwatch.

On Wednesday the House Homeland Security Committee, Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment held a hearing entitled, Homeland Security Intelligence and Limitations.   Access the link for prepared statements and a video of the hearing itself.

Local law enforcement pressed for a more proactive counterterrorism stance, especially in the use of Suspicious Activity Reports. Local law enforcement also asked for more and better federal cooperation in sharing intelligence.  This is hardly a headline. 

The director of the ACLU’s Washington legislative office offered,  “… an unfocused all crimes, all hazards approach to intelligence collection poses significant risks to our individual liberties, our democratic principles and, ironically, even our security.”  Once again, not exactly a surprise.

Unfolding before us in the Cannon House Office Building  was empirical evidence for quantum theory’s notion of parallel universes existing in shared space.  Each side was complete unto itself and detached from the alternative experience with which it was sharing space.  You could perceive subcommittee members playing political cosmologists and working to link the two. But – so far – this apparently exceeds human wisdom.

Other than space, those testifying seemed to share very  little interest in training and education.  Laws, regulations, internal controls, standards, guidelines, strategies, principles, and priorities were all discussed at some length.  Helping law enforcement  professionals learn how to practice intelligence functions effectively and constitutionally… not so much.

For many years the International Association of Law Enforcement Intelligence Analysts has facilitated helpful training.  The DHS Office of Intelligence and Analysis offers training to its state and local partners.  Last year DHS awarded a grant to the National Consortium for Intelligence-Led Policing.  It received $2.48 million to, in part, develop and deliver training and education.  More is being done.  More could undoubtedly be done.

But sometimes we become so preoccupied by “what” we neglect the “how.”  I have never talked to a cop who wanted to undermine the constitution.  I am sure they exist, but I have not talked to one.  I have talked to plenty of cops and other public safety professionals who do not receive any regular training beyond the absolute minimum to keep their badge.  That’s a problem for all sorts of reasons.

The National Fusion Center Conference opens today in Kansas City.  In her recent testimony before the House Homeland Security Committee Secretary Napolitano signaled that her remarks to the conference should be of particular interest.  She is scheduled to keynote at 3PM Central Time on Wednesday.

The President’s budget proposal to Congress has increased federal support for state-operated fusion centers.  This sustained support is consistent with recommendations of  an April 2008 GAO study .

The fusion centers are an essential element in anticipating and preventing terrorist activity.  In some jurisdictions the counterterrorism mission is combined with an “all-crimes” mission.  This is consistent with the practice of intelligence-led policing. In a few jurisdictions the fusion centers are assuming an “all-hazards” mission that begins to build a regional capacity for real risk analysis.

This week’s Time magazine opens and closes a story on fusion centers by highlighting concerns about privacy rights.   The potential for abuse is present.   Widely criticized covert investigations by the Maryland State Police did not involve the Maryland Fusion Center, but illustrate the cause for concern.   The American Civil Liberties Union is giving fusion centers ongoing critical attention.

Federal guidelines for fusion centers are explicit and detailed in protection of privacy rights.  Federal statutes, in particular 28 CFR, Part 23, establish rigorous standards for intelligence collection, almost always requiring reasonable suspicion or criminal predicate.  Ongoing training and enforcement is needed to preserve the operational benefits of the fusion centers.

The White House issued President Bush’s final Homeland Security Presidential Directive (HSPD-24) on June 5, 2008. Entitled “Biometrics for Identification and Screening to Enhance National Security,” HSPD-24 provides a framework to align Federal executive departments and agencies in the “collection, storage, use, analysis, and sharing of biometric and associated biographic and contextual information of individuals.”

The PD tasks multiple agencies – led by the AG – with developing an implementation plan by June 2009. DHS has a significant stake in coordinating federal use of biometrics. DHS is the steward of the Biometric Storage System. DHS runs the Screening Coordination Office. DHS operates the U.S. Citizenship and Immigration Services, which conducts 135,000 national security background checks, including the collection of 11,000 sets of fingerprints, every day.

On Jan 27-28, 2009, NDIA convenes its Biometric Conference 2009, which is intended to bring together stakeholders (including federal implementers) to address challenges of successfully implementing HSPD-24, along the lines of the following:
• Policy development
• Existing and planned U.S. Government programs
• Examples of commercial application of biometrics to address mission critical business goals
• Enabling technologies
• Initiatives within the international community
• Challenges to achieving true interoperability and information sharing.

NDIA states that the conference’s goal is to develop a “mutual understanding and cardinal direction for possible solutions wherein jurisdiction gaps are closed, technologies are interoperable and policies are cohesive.”

For more one the conference, check out the agenda here.

The 9/11 Commission Act included a section called The Federal Agency Data Mining Reporting Act of 2007, which requires the DHS Privacy Office, led by the Chief Privacy Officer, to report to Congress on its implementation of the Act. The Privacy Office just released its report. The new report, “Data Mining: Technology and Policy,” discusses current data mining activities, as well as those under development in the Department. It covers the following ground:

• How DHS programs satisfy the Act’s definition of “data mining”

• The Privacy Office’s public workshop, Implementing Privacy Protections in Government Data Mining (July 24-25, 2008)

• The Principles for Implementing Privacy Protections in S&T Research Projects, which are the newly-announced privacy principles, including those that involve data mining

The report focuses on three major programs:

1. Automated Targeting System (ATS) Inbound, Outbound, and Passenger modules (CBP)

2. the Data Analysis and Research for Trade Transparency System, (ICE)

3. Freight Assessment System, (TSA)

The report provides each program’s purpose and methodology, technology, legal authority, and sources of data, along with an assessment of how well the program is doing.

A challenge for the homeland security community has been the reactive nature of the privacy-related efforts undertaken. Often the Privacy Impact Assessments and other measures are conducted after a technology is developed. Many in the broader policy community and industry have begun suggesting that privacy protections be made a part of technologies, or that technologies be developed for the sole purpose of protecting privacy.

The Privacy Office’s public workshop on Implementing Privacy Protections in Government Data Mining assembled academics, government researchers, policy and technology experts, and privacy advocates this summer to discuss the privacy issues associated with government data mining. One of the outcomes of the workshop was an effort by the Privacy Office and DHS S&T to develop privacy principles that could be embedded in S&T’s research and development projects involving data mining.

This effort led to a set of Principles for Implementing Privacy Protections in S&T Research, which S&T has agreed will govern “new research performed at S&T laboratories, S&T-sponsored research conducted in cooperation with other Federal government entities, and research conducted by external performers under a contract with S&T.”

Many thanks to reader WRC for sending in the notice about this report’s release.

Earlier this year DHS and the airlines went head-to-head over who should be responsible for checking passengers’ names against the federal no-fly list. DHS said they would maintain a list of names of people that would either be subject to additional screening (“selectee”) or not be permitted to fly (“no-fly”). It did not take long for the air lines to object, claiming an undue burden on their operations, and DHS fretted over inconsistent application of the list by the private air carriers. Eventually, all agreed the situation wasn’t working and today Secretary Chertoff issued a new “rule” reversing the process.

Under the new rule, part of Secure Flight, airlines will submit encrypted flight reservation information to TSA. TSA will compare that data with a constantly maintained/updated no-fly list and selectee list. Then TSA will send the results back to the airline “if there’s a problem,” said Chertoff during a press event today. It is unclear if the airlines only hear back from TSA in the event of a “hit” on the list. It may be the case that if TSA doesn’t comment, then the air lines are clear to board the passenger. Silence equals acceptance?

The private sector fell short in carrying out baggage screening, and so we gave it back to TSA. The private sector failed to meet expectations on the no-fly lists, and so it goes back to TSA. This would seem like a clear cut victory for the airlines. They offload all the risk to TSA at the screening lanes and with checking the no-fly lists.

But this is a win for the traveling public, too. Someone once said that “government is the name we give to those things we decide to do together.” This is a classic example. It never made sense to outsource this important process to the private sector.

And then the Secretary made it interesting: Ever wonder how many names are on that watch list? Well Chertoff decided to share some details. Estimates have ranged up to 1 million names. According to the Secretary, “there are fewer than 16,000 — that’s one six — 16,000 unique individuals who are selectees in TSA’s database.” (He further clarified, “That’s 16,000. One six.”)

He went on state that most people on the list “are not even American citizens” and the vast majority of the names are for further screening (selectee status); they are not necessarily banned from flying. That number is closer to 2,500, of which approximately 10% are American citizens, according to the Secretary.

As reported in today’s Washington Post, an employee of investment firm Wagner Resource Group in McLean, VA, traded music or movie files late last year with other users of the online file-sharing network LimeWire while using a company computer. As a result, he inadvertently made the private files of his firm’s clients accessible on the Net.

This exposed the names, dates of birth, and social security numbers of about 2,000 clients, including Supreme Court Justice Stephen G. Breyer.

This puts into perspective the concern expressed by Peter Schaar, Germany’s data protection commissioner, quoted in another story appearing in today’s Post by Ellen Nakashima. Commenting on a new effort by the Department of Homeland Security to gain access to more private information about individuals visiting the U.S. from Europe (as well as sharing such information about American’s with EU countries), Schaar found:

no “clear rules on purpose limitation” or on the storage period. “First,” he said, “which data are of concern is not really completely clear. Second, who are the competent authorities on the U.S. side? Third, and most important, there is a lack of independent supervision in the United States over data protection.” In European states, independent privacy commissions safeguard the privacy rights of citizens, he said.

If we have social security numbers of Supreme Court Justices being accidentally shared on the Internet, I can see why he might want further assurances. The Post article points out that Schaar’s questions over which “data are of concern is not really completely clear,” may actually be addressed. Unfortunately, it is disturbing which data is to be shared. According to the news:

The agreement, which was described by two European officials, also allows for the transmission of “personal data revealing racial or ethnic origin, political opinion or religious or other beliefs, trade union membership or information concerning health and sexual life” in cases where they are “particularly relevant to the purposes of this agreement.” It defines personal data as “any information relating to an identified or identifiable natural person.”

Political opinion, trade union membership, or information concerning sexual life? This is too much. That the agreement “shall take suitable safeguards, in particular, appropriate security measures, in order to protect such data,” does not provide the convincing assurance that such information would not be accessed by the ill-intended (like the State Department employees illegally accessing passport records) or the clumsy (like the case of the investment firm above).

But such assurances seem secondary in comparison to the apparent lack of connection between someone’s sexual orientation, political affiliation, or membership in a trade union to a criminal act. I can see why such things as previous travel destinations, the purchase of a one-way ticket, or the use of a suspicious credit card would be relevant to an investigation with cause, but knowing if the traveler is gay, a Republican, or a member of the American Federation of Teachers seems too much.

Yesterday the White House issued a new directive intended to coordinate efforts by Federal departments and agencies to collect, store, use, analyze, and share biometric and associated biographic and contextual information of “known and suspected terrorists.”

The joint national security and homeland security directive, known as NSPD-59/HSPD-24, seeks to enhance government capabilities in managing biometric data about suspected terrorists. This directive refers to a “Federal framework for applying existing and emerging biometric technologies to the collection, storage, use, analysis, and sharing of data in identification and screening processes.” The framework is intended to better structure the various federal efforts focused on biometric identification for national security purposes as part of “a layered approach to identification and screening of individuals.”

This dovetails well with the post earlier this week about the discussion with Patty Cogswell of the DHS Screening Coordiantion Office. Note also the potential relationship between this directive and efforts underway at the FBI (Next Generation Identification) and at DHS (Biometric Storage System).

The following orders, directives, and strategy documents bear on this directive’s implementation:
• Executive Order 12881 (Establishment of the National Science and Technology Council);
• Homeland Security Presidential Directive 6 (HSPD 6) (Integration and Use of Screening Information to Protect Against Terrorism);
• Executive Order 13354 (National Counterterrorism Center);
• Homeland Security Presidential Directive 11 (HSPD 11) (Comprehensive Terrorist Related Screening Procedures);
• Executive Order 13388 (Further Strengthening the Sharing of Terrorism Information to Protect Americans);
• National Security Presidential Directive 46/Homeland Security Presidential Directive 15 (NSPD-46/HSPD-15) (U.S. Policy and Strategy in the War on Terror);
• 2005 Information Sharing Guidelines;
• 2006 National Strategy for Combating Terrorism;
• 2006 National Strategy to Combat Terrorist Travel;
• 2007 National Strategy for Homeland Security;
• 2007 National Strategy for Information Sharing; and
• 2008 United States Intelligence Community Information Sharing Strategy.

The main thrust behind HSPD-24 is an intention to make all biometric and associated biographic and contextual information of threatening persons available to all agencies. Sounds sweeping. The HSPD does make explicit that the scope here is to enable information sharing across the Executive branch, not to collect more biometric data. That the Assistant to the President for Homeland Security and Counterterrorism is the primary person responsible for “interagency policy coordination on all aspects of this directive,” this may not mean much. That position has been vacant since last year.

UPDATE: The day before I wrote this post the President named Fran Townsend’s successor. Thomas P. Bossert is the new Deputy Assistant to the President for Homeland Security. This is a promotion from his job as Special Assistant to the President for Homeland Security and Senior Director for Preparedness Policy. Bossert also served as Director of Infrastructure Policy on the HSC staff and, before that, as Deputy Director in the Office of Legislative Affairs at DHS’s former Emergency Preparedness and Response Directorate.

Waiting in the HLSWatch.com inbox upon my return from Big Sky, Montana, were scanned copies of correspondence between DHS Assistant Secretary for Policy Stewart Baker and Montana Attorney General Mike McGrath about the state’s request to opt out of the REAL ID Act.

DHS granted an extension on Friday to the state of Montana so that it can comply with the REAL ID Act. The only thing is that Montana never asked for an extension. Montana governor Brian Schweitzer made news over his intention to defy the law passed by Congress in 2005. Schweitzer is leading a charge (joined by Maine, South Carolina, New Hampshire, and Oklahoma) to oppose the REAL ID Act and any efforts by DHS to impose penalties for non-compliance.

The 9/11 Commission recommended that the U.S. rationalize the state identification regime in order to reduce the risk of fraud (suspected to aid terrorists and criminals alike). The Commission argued that the federal government should “set standards for the issuance of … driver’s licenses.” The REAL ID Act requires that a standardized driver’s license be used for “official purposes.” At this point, DHS proposes to define “official purposes” of a REAL ID as accessing federal facilities and nuclear power plants and boarding commercial aircraft. The main beef states have with the Act is the lack of funding to pay for the mandate. DHS is stretching out the compliance period over almost ten years (2014) to make it easier on states, but that only avoids the REAL problem according to Governor Schweitzer. Schweitzer and the Montana state legislature oppose it on principle.

(It sure doesn’t help that the Secretary suggested contrarians should “grow up” about security measures, such as the REAL ID provisions. The statement emboldened critics to examine his tenure more closely and shift the focus away from REAL ID.)

Montana seeks a complete waiver, but DHS’s Stewart Baker explained in a letter to Montana’s Attorney General that DHS has only the authority to carry out the statute or grant extensions to state’s that “meet the requirements” of the REAL ID Act.

Frankly, after Montana’s governor has called the law “nonsensical”, “kooky,” and “hare-brained,” and invited other states to join him in a showdown over “the DHS coercion to comply,” I’m impressed with Baker’s dispassionate response. Baker wrote in a response the same day he received McGrath’s letter:

Under the statute, the Department [of Homeland Security] can only grant an extension of the compliance deadline [as opposed to a waiver.] Therefore, I can only provide the relief you are seeking by treating your letter as a request for an extension.

Of course, Schweitzer’s whole deal is that he’ll never seek an extension because it would be interpreted as intention to implement the Act.

Additional public information about the developing cybersecurity policy can be found in an interview with DNI McConnell in the Jan 21, 2008, issue of The New Yorker. In it, interviewer Lawrence Wright describes McConnell’s path to prioritizing cybersecurity, the scale of the challenge to secure both government and private networks, and some of the unique characteristics of the plan that invoke privacy concerns. As noted in yesterday’s post, the President requested $436 million to fund cybersecurity initiatives likely to be driven by this strategy.

Highlights:
• In May 2007, at a meeting with the President and several cabinet members, McConnell asked for authority to wage information warfare against the tech savvy insurgents in Iraq. McConnell identified computer-network defense as an area in which the U.S. was under-invested. The President then charged McConnell to craft a security strategy, not only for government systems but also for American industry and private individuals.

• McConnell’s Cybersecurity Policy, which is still in draft, recommends reducing the access points between government computers and the Internet from two thousand to fifty.

• McConnell expresses concern about private sector defense. “The real question is what to do about industry,” McConnell is quoted as saying. He continues, “Ninety-five per cent of this is a private-sector problem.”

• McConnell suggests that the “real problem is the [cyber crime] perpetrator who doesn’t care about stealing [money] —he just wants to destroy.”

• Privacy protections are considered to be in conflict with enhanced security. A contributor to the strategy and long-time collaborator with McConnell says that the government needs the authority to examine the content of any e-mail, file transfer, or Web search.  Citing a maxim among the info-sec community, he concluded that “Privacy and security are a zero-sum game.”

• Aware of the difficulties in obtaining new powers for security measures, McConnell says that “FISA reform will be a walk in the park compared to this….”

A new office opens in October at DHS that will manage civilian use of intelligence community and DoD assets. The National Applications Office is the post-9/11 incarnation of what used to be called the Civil Applications Committee that started in 1974 as the result of the President’s Commission on CIA Activities Within the United States (Rockefeller Commission).

Beginning next month, the National Applications Office (NAO) will serve as the “principal interface” between the intelligence community and the Civil Applications, Homeland Security, and Law Enforcement Domains.  According to Bobby Block at the Wall Street Journal, it was a May 25 memo that empowered DHS through the NAO to gain access to some of the U.S.’s most powerful intelligence-gathering capabilities.  Director of National Intelligence Michael McConnell designated DHS as the executive agent and functional manager of the National Applications Office.  It was this May 25 memo to Secretary Chertoff that assigned responsibility to DHS for:

• Enabling a wide spectrum of civil applications, homeland security, and law enforcement users greater access to the collection, analysis, and production skills and capabilities of the intelligence community;

• Enhancing intelligence and information sharing and dissemination to federal, state, and local government and law enforcement users;

• Educating customers about the capabilities and products of the intelligence community;

• Advocating future collection technology needs of the civil applications, homeland security and law enforcement customers in the intelligence community and Department of Defense forums; and

• Providing a forum for discussion of proper use oversight and management of new uses of classified information on behalf of domains, in addition to already established uses.

Last week, the House Homeland Security Committee convened a hearing about the NAO as noted here. Witnesses from DHS included Charlie Allen, Chief Intelligence Officer; Hugo Teufel, Chief Privacy Officer; and Dan Sutherland, the Civil Rights and Civil Liberties Officer.

A National Applications Executive Committee will be established to provide interagency oversight. A DHS fact sheet issued on 15 August describes how the NAO will work with the “advice and support” of three customer domain working groups:

• Civil Applications Domain Working Group: This working group will continue the efforts of the Civil Application Committee that have been ongoing for more than 30 years, including scientific, geographic and environmental research.

• Homeland Security Domain Working Group: The “Homeland Security Domain” includes those government agencies and activities involved in the prevention and mitigation of, preparation for, response to, and recovery from natural or man-made disasters, including terrorism, and other threats to the homeland. This domain can encompass the many operational and administrative components of DHS, as well as other federal, state, local, and tribal elements who partner with the department. Its work will complement the Civil Applications Working Group in areas like natural disaster response.

• Law Enforcement Domain Working Group: This working group includes federal, state, local, and tribal entities, and those activities which support both the enforcement of criminal and civil laws, and the other operational responsibilities and authorities of these entities.

UPDATE 9/11/07: For video stream and complete statements for the record by those testifying before the House Homeland Committee, click here.