@StateDept Launches New System of Records to Capture All Emails — Hunting For Leakers, Plus Other Stuff

Posted: 1:55 am ET

 

We just stumbled into a December 12, 2017 announcement on the Federal Register about a “New System of Records” signed by Mary R. Avery, the Senior Agency Official for Privacy in the Office of Global Information Services of the State Department’s Bureau of Administration. The notice says that the “purpose of the Email Archive Management Records system is to capture all emails and attachments that interact with a Department of State email account and to store them in a secure repository that allows for search, retrieval, and view when necessary.”

In accordance with 5 U.S.C. 552a(e)(4) and (11), this system of records takes effect upon publication, with the exception of the routine uses that are subject to a 30-day period during which interested persons may submit comments to the Department.

The individuals covered by this new system? All State Department folks with state.gov emails, including people with interactions to those state.gov accounts, or mentioned in those email accounts:

“Individuals who maintain a Department of State email account that is archived in the system. The system may also include information about individuals who interact with a Department of State email account, as well as individuals who are mentioned in a Department of State email message or attachment.”

“The records in this system include email messages and attachments associated with a Department of State email account, including any information that may be included in such messages or attachments. The system may also include biographic and contact information of individuals who maintain a Department of State email account, including name, address, email address, and phone number.”

The location of this new system is reportedly at the State Department or annexes and post overseas but also that information “may also be stored within a government-certified cloud, implemented, and overseen by the Department’s Messaging Systems Office (MSO.”  

Does anyone know if this new system is managed by a specific contractor or contractors, and if so, which one/s?

Note that the new system does not just capture “record” emails for federal record purposes, but “all” emails.  The hunt for leakers starts here? Although if you read carefully item #f below, it looks like emails will also be shared and screened for potential insider attacks, not just on networks, but for “for terrorist screening, threat-protection and other homeland security purposes.”

And item #h… oh, my … for people with planned or ongoing litigations!  It has always been said that employees should have no expectation of privacy when using government systems; this new system clarifies it for everyone on how the State Department intends to use and share information in its email system.

Information in this new system may be shared with the following:

(a) Other federal agencies, foreign governments, and private entities where relevant and necessary for them to review or consult on documents that implicate their equities;

(b) a contractor of the Department having need for the information in the performance of the contract, but not operating a system of records within the meaning of 5 U.S.C. 552a(m).

(c) appropriate agencies, entities, and persons when (1) the Department of State suspects or has confirmed that there has been a breach of the system of records; (2) the Department of State has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the Department of State (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Department of State efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

(d) another Federal agency or Federal entity, when the Department of State determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

(e) an agency, whether federal, state, local or foreign, where a record indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule or order issued pursuant thereto, so that the recipient agency can fulfill its responsibility to investigate or prosecute such violation or enforce or implement the statute, rule, regulation, or order.

(f) the Federal Bureau of Investigation, the Department of Homeland Security, the National Counter-Terrorism Center (NCTC), the Terrorist Screening Center (TSC), or other appropriate federal agencies, for the integration and use of such information to protect against terrorism, if that record is about one or more individuals known, or suspected, to be or to have been involved in activities constituting, in preparation for, in aid of, or related to terrorism. Such information may be further disseminated by recipient agencies to Federal, State, local, territorial, tribal, and foreign government authorities, and to support private sector processes as contemplated in Homeland Security Presidential Directive/HSPD-6 and other relevant laws and directives, for terrorist screening, threat-protection and other homeland security purposes.

(g) a congressional office from the record of an individual in response to an inquiry from the Congressional office made at the request of that individual.

(h) a court, adjudicative body, or administrative body before which the Department is authorized to appear when (a) the Department; (b) any employee of the Department in his or her official capacity; (c) any employee of the Department in his or her individual capacity where the U.S. Department of Justice (“DOJ”) or the Department has agreed to represent the employee; or (d) the Government of the United States, when the Department determines that litigation is likely to affect the Department, is a party to litigation or has an interest in such litigation, and the use of such records by the Department is deemed to be relevant and necessary to the litigation or administrative proceeding.

(i) the Department of Justice (“DOJ”) for its use in providing legal advice to the Department or in representing the Department in a proceeding before a court, adjudicative body, or other administrative body before which the Department is authorized to appear, where the Department deems DOJ’s use of such information relevant and necessary to the litigation, and such proceeding names as a party or interests:

(a) The Department or any component of it;

(b) Any employee of the Department in his or her official capacity;

(c) Any employee of the Department in his or her individual capacity where DOJ has agreed to represent the employee; or

(d) The Government of the United States, where the Department determines that litigation is likely to affect the Department or any of its components.

(j) the National Archives and Records Administration and the General Services Administration: For records management inspections, surveys and studies; following transfer to a Federal records center for storage; and to determine whether such records have sufficient historical or other value to warrant accessioning into the National Archives of the United States.

#

Advertisements

EEOC Case: Investigators Find False Accusations, Agency Refuses to Help Clear His Name

Posted: 3:01 am ET

 

This is an EEOC case about a complainant who was the Consul General at the U.S. Consulate General in Naples, Italy.  The name used here is a pseudonym as in eeoc practice but the details are similar to the ugly, nasty case a few years back that made the news.  Most notable lesson here about the Privacy Act, and the limits of  Diplomatic Security’s willingness to clear somebody’s name when needed.

Via eeoc.gov

Believing that the Agency subjected him to unlawful discrimination, Complainant filed an equal employment opportunity (EEO) claim with the Agency. On November 26, 2013, Complainant and the Agency entered into a settlement agreement to resolve the matter. This decision on the breached settlement was issued in November 2016. Excerpt below:

Background:

The record reflects that a subordinate of Complainant (Subordinate 1), who resigned in May 2012, and to a lesser extent her spouse made highly charged allegations against Complainant, i.e., entertaining prostitutes, escorts, and married women in his residence during work hours, engaging in fraud or mismanagement of funds, permitting his driver to be fired so his job could go to someone else and as a form of retaliation, throwing metal umbrella pots from his sixth floor residence down to the parking lot below and then jumping on and crushing them, and this was captured on CCTV and in front of the security guards, and so forth. By April 2013, the U.S. Embassy Rome, in consultation with the Bureau of Diplomatic Security, Special Investigation Division initiated an investigation. The investigation was conducted by two Special Agents with the Bureau of Diplomatic Security, and involved 20 individual interviews with Consulate Staff. It concluded that the accusation that Complainant threw metal pots was “false,” and the three other allegations specified above were completely false. The investigation found that the remaining allegations were variously false, completely false, unsubstantiated, not supported by evidence, and one, in essence, grossly exaggerated.

On June 16, 2013, the New York Post and Fox News published highly negative stories about Complainant, writing for example that Subordinate 1, a whistleblower, said Complainant had trysts with hookers, and this was the latest black eye for the scandal-ridden State Department. On June 17, 2013, Complainant was copied on an Agency email chain regarding the New York Post reporting Subordinate 1’s allegation that Complainant insisted a staffer have an abortion and the staffer said she got her “tubes tied” at his instruction. It was indicated in the email chain that the staffer said the article was “all lies” and felt strongly that she should respond to the article by saying something. The above DCM advised that it would be much better for the staffer not to say anything for now – that this could all blow over quickly.

In his EEO claim, according to Complainant, he alleged discrimination when he was denied assignments in line with his experience, ability, and professional background, the DCM knew that allegations against him by Subordinate 1, her spouse and two others were false and failed to take appropriate action, and management held him accountable for the false accusations and denied him support.

By letters to the Agency dated February 1, 2016 and May 10, 2016, Complainant alleged that the Agency misled him into entering into the settlement agreement and breached it. Specifically, he alleged that when he signed the settlement agreement, the Agency knew Subordinate 1’s EEO complaint had been investigated with a finding of no wrongdoing on his part, that she would likely continue to litigate in federal court, and he could have used the EEO decision to exonerate himself. Complainant wrote that after the settlement agreement, Subordinate 1 continued to attack him in the press, with articles appearing in prominent news outlets such as Newsweek and the New York Post. He pointed to a proposed June 2013 Agency press release recounting that the Diplomatic Security Service investigated the allegations and found no violations of U.S. or Italian law, and contended that had the press release been issued this would have rebutted the articles or they would not have been published. He argues that the Agency allowed employees and family members to utilize the EEO process to raise false allegations against him despite the Agency’s conclusion that they were baseless, and in failing to clear his name breached the settlement agreement and made it ineffective and unenforceable.

The Agency found that it complied with the settlement agreement. Regarding term 9.d, the Agency found that Complainant’s submittal of proposed changes to his 2012 EER was a condition precedent to the former DCM reviewing them and considering making changes, and Complainant admitted he did not submit proposed changes because he was too disheartened and depressed. On appeal, Complainant, who is represented by counsel, confirms this, but adds another reason was that he lacked the necessary facts, particularly the EEO decision on Subordinate 1’s complaint.

Regarding term 9.g, the Agency recounted that Complainant stated it was breached because (1) the Agency simply wrote a one page memorandum simply listing the allegations against him and stating they were found to be unsubstantiated rather than discussing things in context to show how his accusers seized on scandal to defame him and hinder his career, (2) the memorandum was only based on facts until October 2013, failing to fulfill its purpose of summarizing the Diplomatic Security investigation,3 and (3) the Agency, in response to his inquiries, could not give him a clear answer on whether he could share the memorandum with family, colleagues, friends, and his Italian attorney, preventing him from doing so. On appeal, Complainant confirms that he raised reasons (1) and (3). He argues that not being able to share the memorandum makes it useless and his reason for entering into settlement negotiations was to restore his reputation.

In determining that it complied with term 9.g, the Agency found that it met its obligation to provide a summary of the investigation, and that there is no evidence the parties agreed to any specific format in or upon the use of the memorandum.

In determining that it did not negotiate the settlement agreement in bad faith, the Agency found that Complainant cited no authority for the proposition that it was obligated to divulge the outcome of Subordinate 1’s EEO case, and there was no evidence it negotiated in bad faith.

On appeal, Complainant adds that he would not have bargained for a memorandum summarizing the results of the Bureau of Diplomatic Security’s investigation had he known he could not use it, this is common sense, and the Agency’s failure to authorize its use is a breach of the settlement agreement. Complainant argues that the Agency breached the settlement agreement by failing to live up to the spirit of the document. He argues that the Agency’s failure, upon his request, to allow the issuance of the proposed press release in the Agency’s name violates the settlement agreement.

In opposition to the appeal, the Agency argues that disclosing Subordinate 1’s employment discrimination investigation would violate privacy right protected information, and it did not negotiate the settlement agreement in bad faith.

Decision

In June 2013, after the New York Post reported highly charged accusations by Subordinate 1 about the way Complainant treated a staffer, an Agency email string on which Complainant was copied showed the staffer wanted to say something rebutting what was reported, but the former DCM opined it would be much better if the staffer did not say anything now – this could blow over quickly. Further, Complainant strongly suggests that he was aware the Bureau of Diplomatic Security investigation was favorable and he certainly knew the Agency had done nothing to publically clear his name. While Complainant wanted the Agency to publically clear his name, he agreed to a settlement agreement that did not have a term explicitly doing this. Instead, the Agency agreed to issue to a summary of the Bureau of Diplomatic Security to Complainant – not the public.

Complainant’s contention that the Agency bargained for the settlement agreement in bad faith is not persuasive. First, as argued by the Agency, it had reason to believe the administrative decision on Subordinate 1’s complaint was protected by the Privacy Act, since administrative EEO records are generally within the scope of the Act. Further, Complainant has not shown he did not already have sufficient information to make a fair bargain when negotiating the settlement agreement.

The FAD is AFFIRMED.

Read the full case here via eeoc.gov.

#


When the Boss Is Last to Know: Chaffetz Snoops at the Secret Service

Posted: 1:06 pm EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

The Department of Homeland Security Inspector General has completed its independent investigation into allegations that one or more Secret Service agents improperly accessed internal databases to look up the 2003 employment application of Congressman Jason Chaffetz, Chairman of the House Committee on Oversight and Government Reform. The Inspector General has confirmed that between March 24 and April 2, 2015, on approximately 60 different occasions, 45 Secret Service employees accessed Chaffetz’ sensitive personal information. The OIG concluded that only 4 of the 45 employees had an arguable legitimate need to access the information.

Here is the IG’s conclusion:

This episode reflects an obvious lack of care on the part of Secret Service personnel as to the sensitivity of the information entrusted to them. It also reflects a failure by the Secret Service management and leadership to understand the potential risk to the agency as events unfolded and react to and prevent or mitigate the damage caused by their workforce’s actions.

Screen Shot 2015-09-30

via dhs/oig

All personnel involved – the agents who inappropriately accessed the information, the mid-level supervisors who understood what was occurring, and the senior leadership of the Service – bear responsibility for what occurred. Better and more frequent training is only part of the solution. Ultimately, while the responsibility for this activity can be fairly placed on the shoulders of the agents who casually disregarded important privacy rules, the Secret Service leadership must do a better job of controlling the actions of its personnel. The Secret Service leadership must demonstrate a commitment to integrity. This includes setting an appropriate tone at the top, but more importantly requires a commitment to establishing and adhering to standards of conduct and ethical and reasonable behavior. Standards of conduct and ethics are meaningful only if they are enforced and if deviations from such standards are dealt with appropriately.

It doesn’t take a lawyer explaining the nuances of the Privacy Act to know that the conduct that occurred here – by dozens of agents in every part of the agency – was simply wrong. The agents should have known better. Those who engaged in this behavior should be made to understand how destructive and corrosive to the agency their actions were. These agents work for an agency whose motto – “worthy of trust and confidence” – is engraved in marble in the lobby of their headquarters building. Few could credibly argue that the agents involved in this episode lived up to that motto. Given the sensitivity of the information with which these agents are entrusted, particularly with regard to their protective function, this episode is deeply disturbing.

Additionally, it is especially ironic, and troubling, that the Director of the Secret Service was apparently the only one in the Secret Service who was unaware of the issue until it reached the media. At the March 24th hearing, he testified that he was “infuriated” that he was not made aware of the March 4th drinking incident. He testified that he was “working furiously to try to break down these barriers where people feel that they can’t talk up the chain.” In the days after this testimony, 18 supervisors, including his Chief of Staff and the Deputy Director, were aware of what was occurring. Yet, the Director himself did not know. When he became aware, he took swift and decisive action, but too late to prevent his agency from again being subject to justified criticism.

Read the full report here. Check out Appendix 1 for the chronological access to the Chaffetz record which includes multiple field offices, including the London office. Appendix 2 is the timeline of record access.

We can’t remember anything like this happening in the recent past.  There was the 1992 passportgate, of course, which involves a presidential candidate, but that’s not quite the same. In 2009, the DOJ said that a ninth individual pleaded guilty for illegally accessing numerous confidential passport application files, although it was for what’s considered “idle curiosity.”

Whether the intent of the Chaffetz record breach was to embarrass a sitting congressman or curiosity (not everyone who looked at the files leak it to the media), the files are protected by the Privacy Act of 1974, and access by employees is strictly limited to official government duties. Only 4 of the 45 employees who did access the Chaffetz records had a legitimate reason to access the protected information. If the DOJ pursued 9 State Department employees for peeking at the passport records of politicians and celebrities, we can’t imagine that it could simply look away in this case. Particularly in this case.  Winter is definitely coming to the Secret Service.

#

 

State Dept refused to name its SGEs because of reasons #1, #2, #3, #4 and … oh right, the Privacy Act of 1974

— Domani Spero

Last week, ProPublica posted this: Who Are State Dept’s 100 “Special Government Employees”? It Won’t Say.  We blogged about it here: Who Are State Dept’s 100 “Special Government Employees”? Dunno But Is Non-Disclosure For Public Good? Today, the Project On Government Oversight (POGO) has more on the subject. And after months of giving one reason or another to the reporters pursuing this case, the State Department is down to its Captain America shield  — the Privacy Act of 1974.

Below excerpted from POGO: State Dept. Won’t Name Advisers Already in Government’s Public Database:

They’ve all been selected to advise the State Department on foreign policy issues. Their names are listed on the State Department’s website.

So why won’t the Department disclose that these individuals are special government employees (SGEs)?

For four months, State has refused to name its SGEs, ProPublica reported last week, leaving the public to guess which outside experts are advising the Department on matters that affect the public’s interest.

Yet, the Project On Government Oversight was able to find more than 100 of the advisers identified as SGEs in an online government database. In other words, some of the information that State has been refusing to provide is hiding in plain sight.
[…]
State has refused to identify any of its special employees, even though most agencies contacted by ProPublica were easily able to provide a list of their SGEs.

First, a State spokeswoman told ProPublica her agency “does not disclose employee information of this nature.”

When ProPublica filed a request seeking the list of names under the Freedom of Information Act (FOIA), it was told the agency doesn’t keep such a list, and State’s FOIA office refused to track down the information because it would require “extensive research.”

In September, ProPublica told State it planned to report that the Department was refusing to provide a list of names. In response, State said the FOIA request “was being reopened” and that the records would be provided “in a few weeks,” according to ProPublica.

“The State Department has since pushed back the delivery date three times and still hasn’t provided any list,” ProPublica reported last week. “It has been four months since we filed the original request.”

On Friday, a State official told The Washington Post that the Department is “diligently working to resolve” the FOIA request. The official cited concerns about “maintaining employee protections of privacy.”

State’s posture over the past several months is at odds with POGO’s finding: why can’t the Department give the press the same information it already supplied to a public database?

“Disclosure of certain employee information is subject to the Privacy Act of 1974,” Alec Gerlach, a State spokesperson, told POGO. “That some information may already be publicly available does not absolve the Department of Privacy Act requirements. Whether someone is an SGE is Privacy Act-protected information that we would not release except through the FOIA process.”

However, one of the authors of ProPublica’s story questioned why State hasn’t turned over the requested records. “I think anytime a government agency won’t reveal information, it raises questions about why they aren’t,” Liz Day, ProPublica’s Director of Research, told POGO.

Holy mother of god of distraught spoxes!  Okay, please, try not to laugh. It is disturbing to watch this type of contortion, and it seems to be coming regularly these days from Foggy Bottom.

Seriously.  If this is about the Privacy Act of 1974, why wasn’t ProPublica told of this restriction four months ago? And does that mean that all other agencies who released their SGE names were in violation of the Privacy Act of 1974?

Also, State/OIG was told that “The number of special government employee filers was given as 100.”  A State Department spokeswoman told ProPublica that there are “about 100” such employees.  But what do you know?  The Project On Government Oversight was able to find more than 100 of the advisers (excel download file) identified as SGEs in an online government database. Are there more? How many more?

The list does not include the more famous SGEs of the State Department previously identified in news report.

New message from Mission Command:  “Good morning, Mr. Hunt (or whoever is available). Your mission, should you choose to accept it, involves the retrieval of very Special Government Employee (SGE) names. There are more than a hundred names but no one knows how many more.  They are padlocked in the Privacy Act of 1974 vault, guarded by a monstrous fire-breathing creature from Asia Minor. PA1974 vault location is currently in Foggy Bottom.  As always, should you or any member of your team be caught or killed, everybody with a badge will disavow all knowledge of your actions. This message will self-destruct in five seconds.  If not, well, find a match and burn.”

* * *

 

 

 

 

US Embassies Cyprus & Greece: Federal Benefits Recipients at Risk of Identity Theft

You’ve heard about the financial crisis roiling the tiny Mediterranean island of Cyprus.  The €10 billion bailout announced recently is not going to be the end of it.  According to The Telegraph, Cyprus central bank official Yiangos Dimitriou has confirmed that the cashing of cheques will be banned as part of the introduction of capital controls. Dimitriou also announced that bank withdrawals will be limited to €300 a day.  Reuters reported that people leaving Cyprus may take only €1,000 with them. Apparently, there are also notices at the airport warning travelers of the new restrictions and that officers had orders to confiscate cash above the €1,000 euro limit.

Given that the 2010 OIG report of US Embassy Nicosia made no mention of American Citizen Services, we presume that there are not too many American residents in the island.  American retirees have flocked to Greece and their number in Cyprus is significantly lower than the UK pensioners, of which there are reportedly about 18,000 in the island. We understand that the Athens consular district is home to approximately 110,000 American citizens and there is a federal benefits attaché at the US Embassy in Greece who reports to the consul general.

Still, there potentially are enough Americans residing and banking in Cyprus which prompted the Federal Benefits Unit at the US Embassy in Athens to released the following statement:

We have arranged the following contingencies for customers who receive their federal benefits through Cyprus banks. Under any of these options, direct deposit changes usually occur 2 months after the month we receive the request, so do not close your old account until you receive the first payment in your new account.

Send an email to FBU.Athens@ssa.gov to change how you receive direct deposits.

Use a Subject Line in this format: SUBJECT: CYPRUS

– Your name and last 4 digits of your social security number

In the message, provide the following:

1. Last name and first name

2. Street Address

3. Phone Number

4. Social Security Number (9 Digits), and

5.  Direct deposit information, depending the option you request.

Options include designating a bank in the United States to receive direct deposits, designating a bank in the Greece to receive direct deposits (though the account must be in euros), and requesting a Chase Direct Benefit Card from JP Morgan Chase Bank

Read in full here.

Similarly, the contact info for the Federal Benefits Unit in Nicosia requires beneficiaries to provide their SSN via email to consularnicosia@state.gov .

Screen Shot 2013-03-24

The intentions to help as expeditiously as possible is commendable but did anyone stop and pause how this might put retirees and recipients at risk of identify thief?

Did anyone stop and think how Social Security information is an identity thief’s dream?

With your Social Security number in hand, an opportunistic hacker or other online criminal can do just about anything — create phony bank accounts using your name; charge unlimited amounts of goods and services to credit accounts you never meant to open; steal your identity and recreate it multiple times and in multiple locations.

What security provisions are there to minimized potential misused of SSN transmitted via unencrypted email?

Where is the disclosure statement required under the Privacy Act?

The Privacy Act states that you cannot be denied a government benefit or service if you refuse to disclose your SSN unless the disclosure is required by federal law, or the disclosure is to an agency that has been using SSNs before January 1975, when the Privacy Act went into effect. There are other exceptions as well. Read the Code of Federal Regulations section here: http://edocket.access.gpo.gov/cfr_2008/julqtr/28cfr16.53.htm.

If you are asked to give your SSN to a government agency and no disclosure statement is included on the form, you should complain to the agency and cite the Privacy Act of 1974. You can also contact your Congressional representative and U.S. Senators with your complaint. Unfortunately, there appear to be no penalties when a government agency fails to provide a disclosure statement.

Asking the federal benefits beneficiaries to send their social security numbers via email is like asking them to write it on a postcard.  C’mon folks,  would you write and mail yours on a postcard? No? Well then ….

sig4

 

 

SBU Foreign Service 2011 Promotion Statistics Officially Published, Color Specialist Gets an “F”

Remember our blog post about the promotion statistics cable that was classified as SBU?  In March, a Foggy Bottom nightingale informed us that the State Department had released its promotion statistics internally. We have not seen a copy of the cable.  We were told that the promotion stats are now protected by the following authorities:

Privacy Act of 1974 – which is terribly funny because the Privacy Act of 1974 purposely has a line that says “(B) but does not include–    (i) matches performed to produce aggregate statistical data without any personal identifiers;”

So then, somebody wrote here and asked, “How does the Privacy Act apply to a bunch of numbers?” And we had to confess that we actually have no idea — unless — a bunch of numbers are now people?

Three months later, the promotion statistics which was released in an SBU cable was published by State Magazine; this is something that the magazine does every year, by the way. Only this year, it was months late.

Why bother classifying it SBU in the first place? We did an in-depth research and finally got answers!  Simply put, cables are boooring, repeat, boooring.  DGHR wanted to release the promotion statistics in a full color spectrum; except that their Color Specialist used more dark earth tones on the 8-page spread.  What’s with that? It’s summer time, forgodsakes! Next time use something cheerful like Queen Elizabeth fluroescent lime green.  Take our word for it, it’ll get everyone’s attention. Below is the extracted stats from the magazine.

If you are not able to view the document embedded below, click here to read it on ScribD in full screen.

Domani Spero

Foreign Service Promotion Statistics: Numbers Now Protected by the Privacy Act of 1974

In March, a Foggy Bottom nightingale informed us that the State Department had released its promotion statistics internally. We have not seen a copy of the cable.  We were told that the promotion stats are now protected by the following authorities:

Privacy Act of 1974 – which is terribly funny because the Privacy Act of 1974 purposely has a line that says “(B) but does not include–    (i) matches performed to produce aggregate statistical data without any personal identifiers;”

So then, somebody wrote here and asked, “How does the Privacy Act apply to a bunch of numbers?” And we had to confess that we actually have no idea — unless — a bunch of numbers are now people?

The promotion stats apparently are also protected by ta-da —

Freedom of Information Act 2002
The new language in this act precluded any covered US intelligence agency from disclosing records in response to FOIA requests made by foreign governments or international governmental organizations.

“The agencies affected by this amendment are those that are part of, or contain “an element of,” the “intelligence community.” As defined in the National Security Act of 1947 (as amended), they consist of the Central Intelligence Agency, the National Security Agency, the Defense Intelligence Agency, the National Imagery and Mapping Agency, the National Reconnaissance Office (and certain other reconnaissance offices within the Department of Defense), the intelligence elements of the Army, the Navy, the Air Force, and the Marine Corps, the Federal Bureau of Investigation, the Department of the Treasury, the Department of Energy, and the Coast Guard, the Department of Homeland Security, the Bureau of Intelligence and Research in the Department of State, and “such other elements of any other department or agency as may be designated by the President, or designated jointly by the Director of Central Intelligence and the head of the department or agency concerned, as an element of the intelligence community.”

As far as we are aware, the promotion statistics of the U.S. Foreign Service are nowhere done near any desks in the Bureau of Intel and Research (INR), so there’s no information contamination of any sort.

The promotion statistics are also protected by 12 FAM 540 SBU (sensitive but unclassified). When you look this up, the cite says:

a. Sensitive but unclassified (SBU) information is information that is not classified for national security reasons, but that warrants/requires administrative control and protection from public or other unauthorized disclosure for other reasons. SBU should meet one or more of the criteria for exemption from public disclosure under the Freedom of Information Act (FOIA) (which also exempts information protected under other statutes), 5 U.S.C. 552, or should be protected by the Privacy Act, 5 U.S.C. 552a.

b. Types of unclassified information to which SBU is typically applied include all FOIA exempt categories (ref. 5 U.S.C. 552b), for example:

(1) Personnel, payroll, medical, passport, adoption, and other personal information about individuals, including social security numbers and home addresses and including information about employees as well as members of the public;

Too funny, because the promotion statistics do not include any of the above, nor any personal identifiable information. But the important line is “warrants/requires administrative control and protection from public or other unauthorized disclosure for other reasons” — like we just don’t want you to see it, so?

It is also protected by 12 FAM 620 UNCLASSIFIED AUTOMATED INFORMATION SYSTEMS because obviously, the annual promotion statistics is an information system. And anyone who does not get that does not deserve a badge or something.

Finally, the statistics are protected by State 31.  The Googles says that State 31 is a wine company dedicated to crafting small lot wines sourced solely from prime California vineyards.

What? What? How did we end up with wine and vineyards here?

After much digging around the vineyard, we learned that State 31 is STATE-31, a system of human resource records within the State Department. But here is another weird part, it also says:

“System exempted from certain provisions of the Privacy Act: Pursuant to 5 U.S.C. 552a(k)(4), records contained within this system that are maintained solely for statistical purposes are exempted from 5 U.S.C. 552a (c)(3), (d), (e)(1), (e)(4)(G), (H) and (I), and (f).”

Now in the past, the Foreign Service Promotion Statistics are published by State Magazine either in its March or April issue. This year, none including the current May issue has anything on that.We’ll have to see if it shows up in the June issue, but then of course, with all those “protecting authorities” in place, State Magazine would be too crazy to print it!

Extract from State Magazine, March 2011
(click on image for larger view)

We have to say that the “protection” of the promotion statistics under the cited authorities above appears not only arbitrary but also capricious. Why do these numbers need protection, again?  In case Al Qaeda copies it for its own up or out system?  We get the feeling like all these various authorities were collected and dump over the hole for shock and awe.

We hope you are properly shocked and awed that numbers with no personally identifiable connection to specific or particular individuals are now protected information.

Silly folks, what’s next, the cafeteria menu?

So then a quick note to Promotion Statistics is called for:

Dear Mr. or Ms. Promotion Statistics –

Like me, you are now protected by the Privacy Act.  The FBI may now do a background check on you, and the IRS may collect taxes. You may now request correction or amendment of any record pertaining to you that may have been incorrectly done. And best of all, you now must sign a Privacy Act Waiver before anyone can officially talk about you.  This gift of genius cannot be overstated enough …

Domani Spero