Among the greatest internally-perceived dangers to the Department of Defense, and to sensitive areas of the government more broadly, is that posed by whistleblowers and leakers like Chelsea Manning and Edward Snowden – the “insider threat.” Yet in their eagerness to root out this threat and others, military policymakers may be making the problem worse.
The Electronic Privacy Information Center (EPIC) submitted comments to the Defense Department this week outlining a number of concerns the group had regarding a proposed “Insider Threat Database.” Among the issues raised were the vagueness of what constitutes an “insider threat,” along with the massive amount and level of detail of personal information to be collected.
The insider threat is loosely defined, presumably including people like Fort Hood shooter Nidal Hasan and Washington Navy Yard killer Aaron Alexis, but also leakers, in no uncertain terms. In short an insider threat could be anything or anyone that might cause “damage to the United States through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of departmental resources or capabilities.” That’s not even an exhaustive list, but by itself it casts a wide net.
Beyond basics like name and date of birth, the proposed database would include personal information on Defense Department employees such as ethnicity and race, gender, social media account information, background reports that include medical and financial data, travel records, association records, and citizenship records for roommates and spouses. The database would include “biometric data” – which today could mean anything from palm and fingerprints to blood and hair samples to photos for face recognition and iris scans, or perhaps all of the above.
The EPIC comments also note that the proposed database would include information taken from a form called FS-86, which includes additional details such as passport and social security information, educational history, and drug and alcohol use records. This FS-86 information was specifically targeted when the Office of Personnel Management was hacked last year and personal information on more than 20 million people was stolen, which makes sense, given its potential usefulness for identity theft, espionage and blackmail.
“The OPM data breach concerning SF-86 is widely considered the most serious breach in the history of the U.S. government,” the EPIC commentary notes.
Pointing out that a wide variety of government agencies have been hacked in recent years, the authors say the Defense Department is no exception, except perhaps in being a more vulnerable target than some others. “DoD is uniquely susceptible to data breaches,” they write, adding that the department “lacks sufficient capacity to detect and block unauthorized software.” Indeed, this is illustrated by the fact that when the Pentagon recently invited hackers – some as young as 18 years old – to attempt to find vulnerabilities in its cyber-defenses, they found more than 100.
“These weaknesses in DoD databases increase the risk that unauthorized individuals could access, copy, delete, or modify sensitive information, including medical, financial, education, and biometric information contained in the ‘Insider Threat’ Database on a wide variety of individuals,” the EPIC comments state. “Accordingly, DoD should maintain only records that are relevant and necessary to detecting and preventing insider threats.”
Indeed, according to EPIC’s reading of the proposal for the new database, the Defense Department is admitting that it will collect information that is not necessarily relevant to any specific investigation. “By implication,” EPIC writes, the department “objects to guaranteeing ‘fairness’ to individuals in the ‘Insider Threat’ Database.”
If the Defense Department isn’t even willing to guarantee “fairness” to any of its employees, or even to job applicants, it seems likely that its plan to subject these people to intensive, invasive scrutiny and long-term record-keeping to prevent them becoming “insider threats” may be an uphill battle.