document

ACLU EYE on the FBI: Documents Reveal Lack of Privacy Safeguards and Guidance in Government’s "Suspicious Activity Report" Systems

Document Date: October 30, 2013

Government documents obtained by the ACLU show that nationwide programs that collect so-called "Suspicious Activity Reports" provide inadequate privacy safeguards and guidance on the definition of "suspicious activity," leading to violations of Americans' First Amendment and privacy rights, and to racial and religious profiling.

FOIA Lawsuit

In August 2011, the ACLU filed ACLU v. FBI, a lawsuit to enforce a Freedom of Information Act (FOIA) request for records about the FBI eGuardian program, a nationwide system of collecting and sharing so-called "suspicious activity reports" ("SARs") from the public and law enforcement and intelligence officials across the country. The Department of Justice (DOJ) and National Security Agency (NSA) initially failed to release any records, and DOJ insisted it had no independent obligation to even search for information because eGuardian is run by the FBI. Although the FBI partially released a handful of records, they represented only a fraction of the FBI's records about this nationwide program.

Through litigation, however, the ACLU secured additional agency searches for eGuardian records. As a result, DOJ identified 13,500 pages of records requiring review. Ultimately, between January 2012 and July 2013, the FBI, DOJ, NSA, and Office of the Director of National Intelligence released in full or in part over 1,900 pages of records to the ACLU, and in August 2013 identified hundreds of additional eGuardian records these agencies sought to keep secret under exemptions to the FOIA.

Documents Reveal Inadequate Privacy Safeguards and Lack of Guidance Over Use of Suspicious Activity Reporting Systems

Although many of the released records are heavily or even entirely redacted, the documents shed important light on eGuardian, a competing suspicious activity reporting program known as the Information Sharing Environment Suspicious Activity Reporting ("ISE-SAR") Shared Spaces, and the Department of Justice's umbrella Nationwide Suspicious Activity Reporting Initiative ("NSI"), of which both systems are a part.

The documents confirm that these programs give extremely broad discretion to law enforcement officials to monitor and collect information about innocent people engaged in commonplace activities, and to store data in criminal intelligence files without evidence of wrongdoing (p. 1). They also demonstrate that several fusion centers and state and local law enforcement agencies have resisted using eGuardian because of concern over whether the system has an approved privacy policy, whether it is adequate in light of state and local laws protecting privacy, the general lack of guidance on the system, and the lengthy retention of data in eGuardian.

For example, in 2009, the New York State Intelligence Center indicated it "would not forward SARs to eGuardian" without confirmation that the system had a DOJ-approved privacy policy. In 2010, an official of the State of Iowa Intelligence Fusion Center (p. 1) complained about the "huge disconnect on how eGuardian is to work" and reported that the "local FBI field office" lacked "guidance on how or when to use eGuardian." In 2011, a number of state and local law enforcement agencies stated they would share Suspicious Activity Reports with the FBI only after controlling "what gets shared consistent with local/state laws, privacy issue [sic] and local expectations of community standards." Similarly, a 2012 email chain shows that the Minnesota Joint Analysis Center (p. 2) reported it would not send Suspicious Activity Reports to eGuardian at all, and that the New Jersey Fusion Center (p. 1) was sharing reports with the FBI only after first vetting reports itself. And a 2011 document (p. 1) demonstrates that "Fusion Center concerns" about using eGuardian prompted the FBI to change the system's data retention policy "from 30 years to 5 years (followed by a 5-year archive period)." Yet, a 2013 Government Accountability Office report recently confirmed that there is continuing cause for concern because even after Suspicious Activity Reports are deleted from eGuardian, the FBI retains the reports for at least an additional 30 years in another location.

The documents obtained by the ACLU further confirm that the Nationwide Suspicious Activity Reporting Initiative, eGuardian, and the Information Sharing Environment Suspicious Activity Reporting Shared Spaces use vague and expansive definitions for "suspicious activity" that have caused persistent confusion among federal, state, and local law enforcement. This confusion underscores the ACLU's concern — shared by some state police departments — that Suspicious Activity Reports will be based on racial or religious profiling or the exercise of First Amendment rights, rather than evidence of wrongdoing.

For example, in 2009, the Boston Police Department (p. 81) "recommended that the appropriate threshold be clearly defined for entering a SAR into the ISE-SAR Shared Spaces," cautioned against "the entry of information . . . that is not of value," and emphasized the need to "avoid large volumes of information being ‘dumped' into the system." The Miami-Dade Police Department (p. 115) warned that "[t]he NSI needs to stay focused on behaviors and not individuals," suggesting that problems with guidance on what constitutes "suspicious activity" would result in inappropriate profiling. Such confusion over the definition of "suspicious activity" is hardly surprising in light of the government's failure to make clear that 28 C.F.R. Part 23 — a regulation long applied to criminal intelligence information to safeguard privacy, civil rights and civil liberties — applies to nationwide suspicious activity reporting programs, requiring "reasonable suspicion" of criminal activity to justify the collection, retention and dissemination of Suspicious Activity Reports about innocent people.

The documents obtained by the ACLU thus heighten concerns previously expressed by the ACLU and others that eGuardian, the Information Sharing Environment, and the broader Nationwide Suspicious Activity Reporting Initiative have opened the door to violations of civil rights and civil liberties across the country. The ACLU of California recently obtained summaries of SARs (p.3–4) produced by California fusion centers that vindicate these concerns, showing that Suspicious Activity Reports contained no reasonable evidence of criminal activity but were primarily justified based on bias against racial and religious minorities and the exercise of First Amendment rights. Based on the reports obtained thus far, photography and videography are frequently reported without additional facts, rendering these constitutionally-protected activities inherently suspicious.

Additional information from specific documents follows the recommendations below.

Recommendations

The increasingly widespread use of eGuardian, as revealed by the documents, only underscores the serious need for reform. In 2010, the Department of Defense announced that it would participate in the Nationwide Suspicious Activity Reporting Initiative through eGuardian. "As of February 2010, there were more than 560 Federal, state, local, and tribal member agencies with more than 1,800 individual eGuardian users who had reported and shared almost 3,000 incidents." (p. 3) Just six months later, the number of Suspicious Activity Reports in eGuardian had jumped to 5,176 (p.1). And press reports indicate that by December 2010, some 890 state and local agencies had submitted 7,197 reports for inclusion in eGuardian.

The ACLU urges each of the federal agencies involved — the Department of Justice, Federal Bureau of Investigation, Department of Homeland Security, Office of the Director of National Intelligence, National Security Agency, and the Department of Defense — to make public the policy and guideline documents governing nationwide suspicious activity reporting programs, including the Nationwide Suspicious Activity Reporting Initiative, eGuardian, and the Information Sharing Environment Suspicious Activity Reporting Shared Spaces, and to reform these programs to:

  1. Require reasonable suspicion of specified criminal activity in order to collect, retain or disseminate SARs containing personally identifiable information, as required by federal regulation 28 C.F.R. Part 23;
  2. Clearly and unequivocally prohibit the collection, retention, or dissemination of information about the First Amendment-protected political, religious or social views, associations, or activities of any individual or any group, association, corporation, business, partnership, or other organization unless that information directly relates to criminal activity and there is reasonable suspicion that the subject of the information is or may be involved in criminal activity;
  3. Remove photography and other activities clearly protected by the First Amendment from inclusion in lists of categories of suspicious activity or other guidance criteria to prevent the unlawful stops, detention, and harassment of photographers; videographers, and journalists;
  4. Give agencies contributing Suspicious Activity Reports continuing control over the information in the federal suspicious activity reporting systems to modify, correct, update, and purge data according to state and local laws, regulations, and policies; and
  5. Require routine review and re-examination of stored Suspicious Activity Reports to purge any information that is misleading, obsolete, or otherwise unreliable; and require that all Suspicious Activity Reports be purged from all data systems within five years and that all recipient agencies by advised of such changes which involve errors or corrections. No data not leading to an investigation should remain in a suspicious activity reporting system or any other federal database for more than five years.

Read the rest of the alert >>