Customs under fire for sweeping scans of employees’ personal data

McClatchy Washington BureauJuly 8, 2014 


United States Customs and Border Protection officers span the northbound approach to the Otay Mesa Port of Entry from Tijuana, Mexico, March 10, 2014.


— A troubled division of Customs and Border Protection whose leader was recently ousted by the Obama administration is now accused of improperly scrutinizing the personal information of the agency’s 60,000 employees for evidence of potential misconduct and corruption.

In one program, the agency’s internal affairs division shared employees’ Social Security numbers with the FBI, looking for possible criminal leads. The program is no longer operating and is under review by the Department of Homeland Security’s inspector general, according to three federal officials with knowledge of the inquiry.

In another effort, the division automatically scanned the Social Security numbers of all the agency’s employees in a Treasury Department financial records database, said the officials, who spoke only on the condition of anonymity because of the sensitivity of the matter. The Treasury Department halted the daily monitoring in April over questions about whether it violated federal policies.

The programs were inspired by the Obama administration’s Insider Threat initiative, a governmentwide crackdown on security threats that relies on profiling federal workers for certain behaviors.

While such data-sharing efforts didn’t appear to be illegal, they might infringe on the privacy rights of federal employees.

“It is a legitimate question: Is it OK to just troll this kind of information for all federal employees?” said Chip Poncy, a former Treasury Department official who served with the Bush and Obama administrations.

“But it’s a hard call,” Poncy said of the bank records check. “There are privacy interests at stake. There’s a danger of going overboard. But there is a compelling public interest in attacking corruption, including by exploiting this kind of information in a systematic way.”

Kel McClanahan, a lawyer in Washington who handles lawsuits alleging privacy violations, said Customs and Border Protection’s actions were “pushing the legal envelope.”

“They’re overzealous and unwise.”

Initiatives that scrutinize all federal employees continuously for certain indicators are comparable to a law enforcement agency conducting ongoing legal searches on a large group of people without concrete leads, he said.

“Law enforcement can look through the trash on your sidewalk. They don’t need reasonable suspicion for that,” McClanahan said. “These programs are the equivalent of collecting everyone’s trash in a two-square-mile radius looking for evidence of a crime that hasn’t occurred yet, just because you can do it.”

The controversies surrounding the data-sharing programs run by the agency’s internal affairs division add to a growing list of allegations against the embattled division.

The former division chief, James Tomsheck, was removed last month amid complaints that his unit had failed to complete investigations of alleged excessive force by border agents.

The division also is being investigated on suspicion of falsifying documents, intentionally misplacing employee complaints and bungling misconduct reports to mask its failure to curb employee wrongdoing, McClatchy reported last month.

Another internal affairs initiative, known as Operation Lie Busters, is also under review by the inspector general.

The operation sought to criminally prosecute instructors who taught federal employees how to beat the polygraph tests required for security clearances. It was even more unorthodox because federal investigators gathered the customer records of two men under investigation and distributed the list of 4,904 people – along with many of their Social Security numbers, addresses and professions – to nearly 30 federal agencies. It turned out that many were not federal employees and had simply bought books on how to beat lie detector tests.

All three of the data-sharing efforts were internal affairs’ version of the Insider Threat program, which was intended to prevent leaks of classified material to the news media by federal employees. However, catchall definitions of “insider threat” have given federal agencies broad latitude to craft their programs to detect a broad range of possible threats to the U.S. government.

The Customs and Border Protection measures were aimed at “proactively” detecting officials who may be corrupt or may have committed misconduct of some sort, said one of the officials with knowledge of the programs.

The agency’s use of the Treasury database was unusual because it ran all 60,000 employees’ Social Security numbers through the database every day, the officials said.

The database stores suspicious financial-activity reports generated by financial institutions and is used by a wide array of law enforcement agencies during investigations. The “suspicious activity reports,” as they are called, involve information deemed to be indicators of possible crimes.

The activities include unusual or frequent deposits and withdrawals, wire activity or suspicious locations of financial transactions. Making matters more complicated, financial institutions _ which include banks, money transmitters, traders and casinos _ don’t always agree on when to report the information.

“There’s a constant demand from financial institutions for more guidance on how to interpret the criteria,” Poncy said.

Before it launched the more aggressive program, Customs’ internal affairs division ran Social Security numbers through the database when it received specific information about suspected misconduct by an employee.

But about two years ago, the division decided to set up an automated scan that would check all Social Security numbers daily, officials said.

If a number matched one in the database, internal affairs analysts would receive notice of a possible “hit.” The analysts then determined whether a full-blown misconduct inquiry should be launched.

One federal official who defended the program said internal affairs was careful about vetting the information to make sure it was a solid lead, rather than a fishing expedition.

“This program was designed to go after people only for legitimate reasons,” the official said. “It was meant to use information that the agency was already permitted to use in the most proactive way possible.”

That official pointed out that Customs and Border Protection has been accused of not taking aggressive enough measures to root out corruption.

“Drug cartels are actively trying to insert their members into CBP,” said the official. “It’s not that easy to find the people who are corrupt. Sometimes you have to look for these types of indicators.”

John Richardson, a former senior internal affairs analyst, said he thought the program was too broad to be effective, especially given that Customs and Border Protection had plenty of concrete tips that could prompt a misconduct investigation.

“Why climb to the top of the tree when you can grab the fruit on the ground?” he asked.

Richardson, who alleges that the division retaliated against him as a whistle-blower, also questioned whether such programs would be used against employees like him.

“If you’re an employee in good standing, you should not have to prove your innocence every minute of the day just because you work for the federal government,” he said

In a statement, the Treasury Department declined to respond to specific questions and refused to allow a McClatchy reporter to speak to a department expert about the database, which is part of what is known as the Financial Crimes Enforcement Network or FinCEN.

“We can’t comment on whether any specific audit has occurred, or its findings,” the statement said.

The network’s mission is to “make Bank Secrecy Act data available to law enforcement agencies for their use in combating financial crime, terrorist finance and other threats,” the statement said.

“We have written agreements . . . that describe how the data may be used and how FinCEN may audit their practices to make sure the data is properly used and protected,” the statement said. “These safeguards protect the financial privacy of the American people while ensuring the security and stability of the financial system.”

The FBI data-sharing program also sparked a debate over workers’ privacy rights.

The Department of Homeland Security’s then chief privacy officer chided internal affairs for improperly sharing the personal information of 3,000 workers with the FBI as part of the pilot program.

Customs internal affairs analysts funneled the information to the bureau so it could check applicants’ and employees’ Social Security numbers in law enforcement databases. The employees were selected because they were supposed to be getting their security clearances renewed.

Mary Ellen Callahan, the DHS’s then-chief privacy officer, concluded in a July 2012 letter to a top official in the department that internal affairs officials “did not comply with department privacy policy or information sharing policy” and “disregarded privacy concerns raised repeatedly.”

In the end, the FBI “informally” shared the results of about 10 searches with Customs and Border Protection.

Callahan wrote that she was especially concerned about Tomsheck, the internal affairs chief who was recently ousted. She cited his “consistent disregard” for privacy policy. Callahan found that almost a quarter of the employees weren’t supposed to be undergoing security-clearance renewals. Adding to her concerns, the program was supposed to targeting employees at the border, but it ended up also scrutinizing employees in other regions.

“The assistant commissioner seemed to believe that (internal affairs’) mission exempts it from following applicable privacy law,” she wrote, adding, “This attitude is likely to result in a culture of noncompliance.”

By then, the pilot had been shut down. But with the ouster of Tomsheck, the inspector general’s office has launched its own review of the division’s handling of employees’ personal information, including the FBI data-sharing program.

Email:; Twitter: @marisaataylor.

McClatchy Washington Bureau is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service