When the Boss Is Last to Know: Chaffetz Snoops at the Secret Service

Posted: 1:06 pm EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

The Department of Homeland Security Inspector General has completed its independent investigation into allegations that one or more Secret Service agents improperly accessed internal databases to look up the 2003 employment application of Congressman Jason Chaffetz, Chairman of the House Committee on Oversight and Government Reform. The Inspector General has confirmed that between March 24 and April 2, 2015, on approximately 60 different occasions, 45 Secret Service employees accessed Chaffetz’ sensitive personal information. The OIG concluded that only 4 of the 45 employees had an arguable legitimate need to access the information.

Here is the IG’s conclusion:

This episode reflects an obvious lack of care on the part of Secret Service personnel as to the sensitivity of the information entrusted to them. It also reflects a failure by the Secret Service management and leadership to understand the potential risk to the agency as events unfolded and react to and prevent or mitigate the damage caused by their workforce’s actions.

Screen Shot 2015-09-30

via dhs/oig

All personnel involved – the agents who inappropriately accessed the information, the mid-level supervisors who understood what was occurring, and the senior leadership of the Service – bear responsibility for what occurred. Better and more frequent training is only part of the solution. Ultimately, while the responsibility for this activity can be fairly placed on the shoulders of the agents who casually disregarded important privacy rules, the Secret Service leadership must do a better job of controlling the actions of its personnel. The Secret Service leadership must demonstrate a commitment to integrity. This includes setting an appropriate tone at the top, but more importantly requires a commitment to establishing and adhering to standards of conduct and ethical and reasonable behavior. Standards of conduct and ethics are meaningful only if they are enforced and if deviations from such standards are dealt with appropriately.

It doesn’t take a lawyer explaining the nuances of the Privacy Act to know that the conduct that occurred here – by dozens of agents in every part of the agency – was simply wrong. The agents should have known better. Those who engaged in this behavior should be made to understand how destructive and corrosive to the agency their actions were. These agents work for an agency whose motto – “worthy of trust and confidence” – is engraved in marble in the lobby of their headquarters building. Few could credibly argue that the agents involved in this episode lived up to that motto. Given the sensitivity of the information with which these agents are entrusted, particularly with regard to their protective function, this episode is deeply disturbing.

Additionally, it is especially ironic, and troubling, that the Director of the Secret Service was apparently the only one in the Secret Service who was unaware of the issue until it reached the media. At the March 24th hearing, he testified that he was “infuriated” that he was not made aware of the March 4th drinking incident. He testified that he was “working furiously to try to break down these barriers where people feel that they can’t talk up the chain.” In the days after this testimony, 18 supervisors, including his Chief of Staff and the Deputy Director, were aware of what was occurring. Yet, the Director himself did not know. When he became aware, he took swift and decisive action, but too late to prevent his agency from again being subject to justified criticism.

Read the full report here. Check out Appendix 1 for the chronological access to the Chaffetz record which includes multiple field offices, including the London office. Appendix 2 is the timeline of record access.

We can’t remember anything like this happening in the recent past.  There was the 1992 passportgate, of course, which involves a presidential candidate, but that’s not quite the same. In 2009, the DOJ said that a ninth individual pleaded guilty for illegally accessing numerous confidential passport application files, although it was for what’s considered “idle curiosity.”

Whether the intent of the Chaffetz record breach was to embarrass a sitting congressman or curiosity (not everyone who looked at the files leak it to the media), the files are protected by the Privacy Act of 1974, and access by employees is strictly limited to official government duties. Only 4 of the 45 employees who did access the Chaffetz records had a legitimate reason to access the protected information. If the DOJ pursued 9 State Department employees for peeking at the passport records of politicians and celebrities, we can’t imagine that it could simply look away in this case. Particularly in this case.  Winter is definitely coming to the Secret Service.

#

 

State Dept refused to name its SGEs because of reasons #1, #2, #3, #4 and … oh right, the Privacy Act of 1974

— Domani Spero

Last week, ProPublica posted this: Who Are State Dept’s 100 “Special Government Employees”? It Won’t Say.  We blogged about it here: Who Are State Dept’s 100 “Special Government Employees”? Dunno But Is Non-Disclosure For Public Good? Today, the Project On Government Oversight (POGO) has more on the subject. And after months of giving one reason or another to the reporters pursuing this case, the State Department is down to its Captain America shield  — the Privacy Act of 1974.

Below excerpted from POGO: State Dept. Won’t Name Advisers Already in Government’s Public Database:

They’ve all been selected to advise the State Department on foreign policy issues. Their names are listed on the State Department’s website.

So why won’t the Department disclose that these individuals are special government employees (SGEs)?

For four months, State has refused to name its SGEs, ProPublica reported last week, leaving the public to guess which outside experts are advising the Department on matters that affect the public’s interest.

Yet, the Project On Government Oversight was able to find more than 100 of the advisers identified as SGEs in an online government database. In other words, some of the information that State has been refusing to provide is hiding in plain sight.
[…]
State has refused to identify any of its special employees, even though most agencies contacted by ProPublica were easily able to provide a list of their SGEs.

First, a State spokeswoman told ProPublica her agency “does not disclose employee information of this nature.”

When ProPublica filed a request seeking the list of names under the Freedom of Information Act (FOIA), it was told the agency doesn’t keep such a list, and State’s FOIA office refused to track down the information because it would require “extensive research.”

In September, ProPublica told State it planned to report that the Department was refusing to provide a list of names. In response, State said the FOIA request “was being reopened” and that the records would be provided “in a few weeks,” according to ProPublica.

“The State Department has since pushed back the delivery date three times and still hasn’t provided any list,” ProPublica reported last week. “It has been four months since we filed the original request.”

On Friday, a State official told The Washington Post that the Department is “diligently working to resolve” the FOIA request. The official cited concerns about “maintaining employee protections of privacy.”

State’s posture over the past several months is at odds with POGO’s finding: why can’t the Department give the press the same information it already supplied to a public database?

“Disclosure of certain employee information is subject to the Privacy Act of 1974,” Alec Gerlach, a State spokesperson, told POGO. “That some information may already be publicly available does not absolve the Department of Privacy Act requirements. Whether someone is an SGE is Privacy Act-protected information that we would not release except through the FOIA process.”

However, one of the authors of ProPublica’s story questioned why State hasn’t turned over the requested records. “I think anytime a government agency won’t reveal information, it raises questions about why they aren’t,” Liz Day, ProPublica’s Director of Research, told POGO.

Holy mother of god of distraught spoxes!  Okay, please, try not to laugh. It is disturbing to watch this type of contortion, and it seems to be coming regularly these days from Foggy Bottom.

Seriously.  If this is about the Privacy Act of 1974, why wasn’t ProPublica told of this restriction four months ago? And does that mean that all other agencies who released their SGE names were in violation of the Privacy Act of 1974?

Also, State/OIG was told that “The number of special government employee filers was given as 100.”  A State Department spokeswoman told ProPublica that there are “about 100” such employees.  But what do you know?  The Project On Government Oversight was able to find more than 100 of the advisers (excel download file) identified as SGEs in an online government database. Are there more? How many more?

The list does not include the more famous SGEs of the State Department previously identified in news report.

New message from Mission Command:  “Good morning, Mr. Hunt (or whoever is available). Your mission, should you choose to accept it, involves the retrieval of very Special Government Employee (SGE) names. There are more than a hundred names but no one knows how many more.  They are padlocked in the Privacy Act of 1974 vault, guarded by a monstrous fire-breathing creature from Asia Minor. PA1974 vault location is currently in Foggy Bottom.  As always, should you or any member of your team be caught or killed, everybody with a badge will disavow all knowledge of your actions. This message will self-destruct in five seconds.  If not, well, find a match and burn.”

* * *

 

 

 

 

US Embassies Cyprus & Greece: Federal Benefits Recipients at Risk of Identity Theft

You’ve heard about the financial crisis roiling the tiny Mediterranean island of Cyprus.  The €10 billion bailout announced recently is not going to be the end of it.  According to The Telegraph, Cyprus central bank official Yiangos Dimitriou has confirmed that the cashing of cheques will be banned as part of the introduction of capital controls. Dimitriou also announced that bank withdrawals will be limited to €300 a day.  Reuters reported that people leaving Cyprus may take only €1,000 with them. Apparently, there are also notices at the airport warning travelers of the new restrictions and that officers had orders to confiscate cash above the €1,000 euro limit.

Given that the 2010 OIG report of US Embassy Nicosia made no mention of American Citizen Services, we presume that there are not too many American residents in the island.  American retirees have flocked to Greece and their number in Cyprus is significantly lower than the UK pensioners, of which there are reportedly about 18,000 in the island. We understand that the Athens consular district is home to approximately 110,000 American citizens and there is a federal benefits attaché at the US Embassy in Greece who reports to the consul general.

Still, there potentially are enough Americans residing and banking in Cyprus which prompted the Federal Benefits Unit at the US Embassy in Athens to released the following statement:

We have arranged the following contingencies for customers who receive their federal benefits through Cyprus banks. Under any of these options, direct deposit changes usually occur 2 months after the month we receive the request, so do not close your old account until you receive the first payment in your new account.

Send an email to FBU.Athens@ssa.gov to change how you receive direct deposits.

Use a Subject Line in this format: SUBJECT: CYPRUS

– Your name and last 4 digits of your social security number

In the message, provide the following:

1. Last name and first name

2. Street Address

3. Phone Number

4. Social Security Number (9 Digits), and

5.  Direct deposit information, depending the option you request.

Options include designating a bank in the United States to receive direct deposits, designating a bank in the Greece to receive direct deposits (though the account must be in euros), and requesting a Chase Direct Benefit Card from JP Morgan Chase Bank

Read in full here.

Similarly, the contact info for the Federal Benefits Unit in Nicosia requires beneficiaries to provide their SSN via email to consularnicosia@state.gov .

Screen Shot 2013-03-24

The intentions to help as expeditiously as possible is commendable but did anyone stop and pause how this might put retirees and recipients at risk of identify thief?

Did anyone stop and think how Social Security information is an identity thief’s dream?

With your Social Security number in hand, an opportunistic hacker or other online criminal can do just about anything — create phony bank accounts using your name; charge unlimited amounts of goods and services to credit accounts you never meant to open; steal your identity and recreate it multiple times and in multiple locations.

What security provisions are there to minimized potential misused of SSN transmitted via unencrypted email?

Where is the disclosure statement required under the Privacy Act?

The Privacy Act states that you cannot be denied a government benefit or service if you refuse to disclose your SSN unless the disclosure is required by federal law, or the disclosure is to an agency that has been using SSNs before January 1975, when the Privacy Act went into effect. There are other exceptions as well. Read the Code of Federal Regulations section here: http://edocket.access.gpo.gov/cfr_2008/julqtr/28cfr16.53.htm.

If you are asked to give your SSN to a government agency and no disclosure statement is included on the form, you should complain to the agency and cite the Privacy Act of 1974. You can also contact your Congressional representative and U.S. Senators with your complaint. Unfortunately, there appear to be no penalties when a government agency fails to provide a disclosure statement.

Asking the federal benefits beneficiaries to send their social security numbers via email is like asking them to write it on a postcard.  C’mon folks,  would you write and mail yours on a postcard? No? Well then ….

sig4

 

 

SBU Foreign Service 2011 Promotion Statistics Officially Published, Color Specialist Gets an “F”

Remember our blog post about the promotion statistics cable that was classified as SBU?  In March, a Foggy Bottom nightingale informed us that the State Department had released its promotion statistics internally. We have not seen a copy of the cable.  We were told that the promotion stats are now protected by the following authorities:

Privacy Act of 1974 – which is terribly funny because the Privacy Act of 1974 purposely has a line that says “(B) but does not include–    (i) matches performed to produce aggregate statistical data without any personal identifiers;”

So then, somebody wrote here and asked, “How does the Privacy Act apply to a bunch of numbers?” And we had to confess that we actually have no idea — unless — a bunch of numbers are now people?

Three months later, the promotion statistics which was released in an SBU cable was published by State Magazine; this is something that the magazine does every year, by the way. Only this year, it was months late.

Why bother classifying it SBU in the first place? We did an in-depth research and finally got answers!  Simply put, cables are boooring, repeat, boooring.  DGHR wanted to release the promotion statistics in a full color spectrum; except that their Color Specialist used more dark earth tones on the 8-page spread.  What’s with that? It’s summer time, forgodsakes! Next time use something cheerful like Queen Elizabeth fluroescent lime green.  Take our word for it, it’ll get everyone’s attention. Below is the extracted stats from the magazine.

If you are not able to view the document embedded below, click here to read it on ScribD in full screen.

Domani Spero

Foreign Service Promotion Statistics: Numbers Now Protected by the Privacy Act of 1974

In March, a Foggy Bottom nightingale informed us that the State Department had released its promotion statistics internally. We have not seen a copy of the cable.  We were told that the promotion stats are now protected by the following authorities:

Privacy Act of 1974 – which is terribly funny because the Privacy Act of 1974 purposely has a line that says “(B) but does not include–    (i) matches performed to produce aggregate statistical data without any personal identifiers;”

So then, somebody wrote here and asked, “How does the Privacy Act apply to a bunch of numbers?” And we had to confess that we actually have no idea — unless — a bunch of numbers are now people?

The promotion stats apparently are also protected by ta-da —

Freedom of Information Act 2002
The new language in this act precluded any covered US intelligence agency from disclosing records in response to FOIA requests made by foreign governments or international governmental organizations.

“The agencies affected by this amendment are those that are part of, or contain “an element of,” the “intelligence community.” As defined in the National Security Act of 1947 (as amended), they consist of the Central Intelligence Agency, the National Security Agency, the Defense Intelligence Agency, the National Imagery and Mapping Agency, the National Reconnaissance Office (and certain other reconnaissance offices within the Department of Defense), the intelligence elements of the Army, the Navy, the Air Force, and the Marine Corps, the Federal Bureau of Investigation, the Department of the Treasury, the Department of Energy, and the Coast Guard, the Department of Homeland Security, the Bureau of Intelligence and Research in the Department of State, and “such other elements of any other department or agency as may be designated by the President, or designated jointly by the Director of Central Intelligence and the head of the department or agency concerned, as an element of the intelligence community.”

As far as we are aware, the promotion statistics of the U.S. Foreign Service are nowhere done near any desks in the Bureau of Intel and Research (INR), so there’s no information contamination of any sort.

The promotion statistics are also protected by 12 FAM 540 SBU (sensitive but unclassified). When you look this up, the cite says:

a. Sensitive but unclassified (SBU) information is information that is not classified for national security reasons, but that warrants/requires administrative control and protection from public or other unauthorized disclosure for other reasons. SBU should meet one or more of the criteria for exemption from public disclosure under the Freedom of Information Act (FOIA) (which also exempts information protected under other statutes), 5 U.S.C. 552, or should be protected by the Privacy Act, 5 U.S.C. 552a.

b. Types of unclassified information to which SBU is typically applied include all FOIA exempt categories (ref. 5 U.S.C. 552b), for example:

(1) Personnel, payroll, medical, passport, adoption, and other personal information about individuals, including social security numbers and home addresses and including information about employees as well as members of the public;

Too funny, because the promotion statistics do not include any of the above, nor any personal identifiable information. But the important line is “warrants/requires administrative control and protection from public or other unauthorized disclosure for other reasons” — like we just don’t want you to see it, so?

It is also protected by 12 FAM 620 UNCLASSIFIED AUTOMATED INFORMATION SYSTEMS because obviously, the annual promotion statistics is an information system. And anyone who does not get that does not deserve a badge or something.

Finally, the statistics are protected by State 31.  The Googles says that State 31 is a wine company dedicated to crafting small lot wines sourced solely from prime California vineyards.

What? What? How did we end up with wine and vineyards here?

After much digging around the vineyard, we learned that State 31 is STATE-31, a system of human resource records within the State Department. But here is another weird part, it also says:

“System exempted from certain provisions of the Privacy Act: Pursuant to 5 U.S.C. 552a(k)(4), records contained within this system that are maintained solely for statistical purposes are exempted from 5 U.S.C. 552a (c)(3), (d), (e)(1), (e)(4)(G), (H) and (I), and (f).”

Now in the past, the Foreign Service Promotion Statistics are published by State Magazine either in its March or April issue. This year, none including the current May issue has anything on that.We’ll have to see if it shows up in the June issue, but then of course, with all those “protecting authorities” in place, State Magazine would be too crazy to print it!

Extract from State Magazine, March 2011
(click on image for larger view)

We have to say that the “protection” of the promotion statistics under the cited authorities above appears not only arbitrary but also capricious. Why do these numbers need protection, again?  In case Al Qaeda copies it for its own up or out system?  We get the feeling like all these various authorities were collected and dump over the hole for shock and awe.

We hope you are properly shocked and awed that numbers with no personally identifiable connection to specific or particular individuals are now protected information.

Silly folks, what’s next, the cafeteria menu?

So then a quick note to Promotion Statistics is called for:

Dear Mr. or Ms. Promotion Statistics –

Like me, you are now protected by the Privacy Act.  The FBI may now do a background check on you, and the IRS may collect taxes. You may now request correction or amendment of any record pertaining to you that may have been incorrectly done. And best of all, you now must sign a Privacy Act Waiver before anyone can officially talk about you.  This gift of genius cannot be overstated enough …

Domani Spero

 

 

%d bloggers like this: