The US Department of Homeland Security removed multiple career Customs and Border Protection officials from their roles this year after they objected to orders to mislabel records about surveillance technologies and block their release under the Freedom of Information Act, WIRED has learned.
Since January, DHS leaders have reassigned two of the top officials responsible for ensuring that CBP technologies comply with federal privacy law, according to multiple sources with knowledge of the situation. These sources were granted anonymity because they fear government retribution.
The reassignments followed December orders from the DHS Privacy Office to treat routine compliance forms as legally privileged, and to label signed privacy assessments as “drafts” exempt from disclosure under federal records law.
Those removed include CBP’s top privacy officer and one of the agency’s two privacy branch chiefs. The director of CBP’s FOIA office was also removed last month.
DHS ordered the new secrecy rules, sources say, after a CBP FOIA officer lawfully released a redacted privacy assessment, triggering backlash from DHS political leadership. The document—known as a Privacy Threshold Analysis, or PTA—was obtained by 404 Media last fall, providing the only formal government record of Mobile Fortify, a previously hidden face recognition app.
PTAs are a required compliance form, a questionnaire that describes the basic mechanics of new government systems that use or harvest personal data. It also records whether privacy officers approved the system or ruled the government was legally required to look closer at how it impacts people’s privacy.
In the case of Mobile Fortify, the public learned from the released PTA that DHS had acknowledged the app would capture people’s faces and fingerprints without their consent; that US citizens and lawful permanent residents would inevitably be among those photographed; and that every image taken, regardless of whether it matched anyone, would be stored for up to 15 years.
Labeling the document a “draft” would ostensibly bolster the agency’s ability to bury such revelations using an exception in FOIA that protects “advisory opinions” and “recommendations.” Sources say the privacy officials removed from their posts saw the tactic as legally incoherent, arguing that a completed compliance form could not be simultaneously signed and considered a draft.
“This policy change is illegal,” says Ginger Quintero-McCall, an attorney at the public interest law firm Free Information Group, and former supervisory information law attorney at the Federal Emergency Management Agency, a DHS component. “There is nothing in the FOIA statute—or any other statute—that allows the agency to categorically withhold Privacy Threshold Analyses.”
Quintero-McCall says she witnessed retaliation on the job firsthand before leaving the government last year. “It would not surprise me at all to learn that the administration reassigned employees who objected to this illegal policy of secrecy.”
A DHS spokesperson told WIRED on Monday, “Any allegation that DHS adopted a policy making Privacy Threshold Analyses exempt from the Freedom of Information Act is FALSE.”
Internal emails show otherwise.
On December 3, the DHS Privacy Office announced a “major change” that required all future PTAs to carry a disclaimer marking them exempt from public release. The disclaimer reads in full:
“This is a draft document that is pre-decisional, deliberative, and is designated For Official Use Only. It is subject to the deliberative process privilege and attorney client privilege. It is not to be released, shared, or distributed outside of authorized channels without prior consultation and approval from the Department of Homeland Security Privacy Office. Unauthorized disclosure may result in administrative, civil, or criminal penalties.”
CBP privacy officers, such as the ones reassigned, have not historically signed off on privacy reviews. Under previous administrations, that responsibility rested with a headquarters official working directly for the department’s chief privacy officer. The current chief privacy officer, Roman Jankowski, delegated that authority downward in one of his first acts in office, as WIRED previously reported.
DHS’s spokesperson assured WIRED that when the forms are requested under FOIA, they are subject to “the same review applied to other agency records.” But internal emails indicate a blanket prohibition on their release: “PTAs are NOT supposed to be released at all,” the department’s deputy FOIA chief, Catrina Pavlik-Keenan, wrote in a February 20 email to, among others, Jankowski and his deputy, James Holzer.
The federal government has broadly conceded that FOIA requires the disclosure of these records. The FBI, for instance, has implicitly acknowledged that PTAs are ordinary agency records. In a 2015 case, it released nearly 50 of them—withholding only 12 pages after swearing in court that they were genuine drafts.
DHS’s own website shows it published at least dozens of PTAs last year before ceasing in September. Internal emails show CBP’s FOIA division planned to release another PTA last month concerning the face recognition tool Clearview AI, but DHS blocked it.
“It is especially important that the public have access to these records when agency staff conclude there is no significant privacy impact,” says Nathan Wessler, deputy director of the American Civil Liberties Union’s Speech, Privacy, and Technology Project, “because that ends the review process entirely, with no subsequent assessment ever prepared.”
“If the public can’t see the PTA, we’ll never know about faulty reasoning that undervalues privacy threats,” he says, “and that opens people up to violation of their rights.”
Jeramie Scott, senior counsel at the Electronic Privacy Information Center, says that FOIA requires narrow redactions over wholesale secrecy and that withholding the records outright would allow DHS to evade public scrutiny of its expanding surveillance operations.
“Career DHS Privacy officials were right to protest such a blanket move towards secrecy,” he says.
The post DHS Ousts CBP Privacy Officers Who Questioned ‘Illegal’ Orders appeared first on Wired.
