Understanding Fusion Centers
by Michael Dean Thompson
Introduction
After 9/11, authorities determined the event was possible due to a failure of the various intelligence agencies to communicate with each other and share their information, data, insights, and discoveries. In 2007, Eben Kaplan wrote for the Council on Foreign Relations that a clear example of this was when Ziad Jarrah was issued a speeding ticket on September 9, 2001. Jarrah was one of the four hijackers on United Airlines Flight 93, which crashed in western Pennsylvania. Kaplan argues that had the Maryland State Trooper known Jarrah was on a CIA watchlist, “he might have prevented, or at least disrupted, the worst terrorist attack in history.”
At the time the Department of Homeland Security (“DHS”) was created, there were a few regional Real Time Crime Centers (“RTCC”) where state and local law enforcement worked together to understand criminal patterns and track down suspects. These RTCCs became the models by which the DHS began creating fusion centers, which they define as “state-owned and operated centers that serve as focal points in state and major urban areas for the receipt, analysis, gathering and sharing of threat-related information between State, Local, Tribal and Territorial, federal, and private sector partners.”
The goal is to take advantage of the information being generated in each of the regions and filter it up to the federal level and out to other regions. With this, they hope to create a “sustainable approach to information sharing that cannot be accomplished by DHS or the federal government alone.” To achieve the goal, the DHS began using grant programs to funnel money out to the states and regions. There are now at least 78 fusion centers across the United States that were made possible by the generous DHS grant funds. Not only has the DHS budget quintupled to almost $100 billion by 2022, it has given out $28 billion in Homeland Security Grant Program money since 2002.
Fusion centers are therefore part of the United States government’s intelligence machine. They are a massive network of domestic surveillance programs where federal, state, and local law enforcement work alongside homeland security agencies, military, federal agencies, and even private companies and contractors to spy on Americans just going about their daily activities. And, all of it in secret. It is a requirement that people who work for fusion centers sign a Nondisclosure Agreement (“NDA”) that outlines potential penalties for disclosure. Unfortunately, embedding national security into state, local, and private policing apparatuses creates a significant amount of grey area where no single oversight authority exists. That secrecy and overlap allowed the DHS to sidestep some questions about fusion centers by offloading authorities to the states in 2012 when the Permanent Subcommittee on Investigations of the Committee on Homeland Security and Government Affairs (“Subcommittee”) investigated the effectiveness of fusion centers.
DHS makes certain of the crucial impact of the private sector as both consumer of their intelligence products and partner in creating those products. They established two focus groups, Public Safety Fusion Center Focus Group and Private Sector Fusion Center Focus Group, to help private sector entities identify guidelines with regard to how fusion centers will operate with those groups and the technologies they will use. Some of the technologies are rather banal, such as case management systems. Others, however, enable surveillance—and retention for future analysis—of sensitive information about private citizens who may not yet be suspected of a crime, much less terrorist activity.
According to the DHS Fusion Center Guidelines, the data collected in the fusion process “allows for the relentless reevaluation of existing data in context with new data in order to provide constant updates.” It goes on to indicate that the existing data is to be stored at the entity “taking action.” This relates specifically to the product of data drawn from national databases that contain personally identifiable information, like the National Data Exchange (“N-Dex”) as well as the FBI’s Law Enforcement Regional Data Exchange, and its integration into data drawn from other local and regional fusion centers. That data, as it is stored in the fusion center, is available to a broad range of personnel, including those who are not government employees and may not be subject to some of the same standards and safeguards.
Although fusion centers are billed as anti-terrorism tools, the fact that they are owned and operated by state and local entities creates a variety of focuses for the fusion center that have little to do with terrorism. Their core identity remains as a crime fighting tool, yet they are making use of powerful tools designed to ferret out terrorist activity originating in countries where intelligence agents are unconcerned with civil rights. Unfortunately, these tools are often manned by personnel who lack the training necessary to avoid impinging on civil rights here in the United States. The result has been reports of poor intelligence product and adherence to various legal safeguards that may have violated federal privacy laws. The lack of clear oversight and ambiguous authorities further allowed those who produced the poor product to continue doing so without consequences.
Technology and Tools Used in Fusion Centers
Fusion center personnel can vary from state to state and even among regions, but in general, they consist of some combination of agents from federal agencies such as the FBI, DEA, and ATF; state law enforcement; public safety; public health; and public works. These representatives, along with members of the private sector, input data into the fusion center databases. That data can include the obvious like 911 emergency call information, the capabilities of local hospitals, building blueprints, and names on national terror watchlists.
Increasingly, fusion centers are purchasing tools like automated license plate readers (“ALPR”) that keep records of each time and location of a license plate passing by the camera. Depending on the location and traffic, the number of license plates recorded can be quite significant and would quickly establish a person’s routine routes to and from work, worship, medical care, and more. They also purchase ALPR data that has been collected from other state and regional ALPR systems.
Other systems that DHS grant money has helped fusion centers purchase include predictive policing systems from Palantir and Dataminr’s social media surveillance software and data. Los Angeles used grant money to help purchase cell-site simulators that allow them to trick cellphones into connecting to them as if they were a cell tower. The cell-site simulators may be used to collect copious amounts of data from any cellphone user in the area. Microsoft and New York City worked together to develop the ominous sounding Domain Awareness System (“DAS”), using as much as $488 million in federal grant money by 2021. DAS was created specifically to support the unique and growing information processing needs of fusion centers.
Individually, some of this may not sound too concerning. However, the amount of circumstantial evidence that can be complied against any member of the general public in a flash is breathtaking and chilling. Imagine a stoplight camera catches a vehicle zooming away from some area of interest. Using ALPR, the police build up a history of locations where that license plate has been read. A data broker has sold them a series of location histories for cellphones as well, and sure enough, there is a rough match to a subset of locations. The identity attached to the license plate is used to help de-anonymize the cell locations that provide a complete pattern-of-life analysis. Another link analysis tool is used to ferret out people who might have been in the car. Yet another data source finds vehicle telematics that indicate hard stops and accelerations, passenger weights, and it is all tied together by location data but not a shred of hard evidence that the car was involved in the source incident. And sadly, at this point, there still has not necessarily been a single court order or warrant as all of the data is being made available through technology and data purchased by the fusion center.
One of the reasons Microsoft dominated the desktop and server markets was its ability to integrate data sources. Given that the point of a fusion center is the sharing of data among centers across the country, it is not hard to imagine that DAS, which Microsoft now sells to other states and regions (and for which New York City receives a royalty), makes sharing information among fusion centers across the nation who are running them much easier since they may reside on the same cloud servers. However, it also means that sharing circumstantial evidence compiled solely from big data conjectures is also easier.
To facilitate interoperability among fusion centers outside of Microsoft’s DAS, DHS actually offers tools that enable sharing of much more than terrorist threats. For example, fusion centers can communicate over Regional Information Sharing Systems secure intranet and the Homeland Security Information Network. The FBI’s eGuardian can be used as a Suspicious Activity Reporting tool that is accessed on the Law Enforcement Online. DHS defines the Global Federated Identity and Privilege Management (“GFIPM”) that allows for a single user identity sign-on that is valid in any adherent fusion center. As will be discussed later, it is apparent that many states are not using these systems or at least not finding all the features they desire within them. Instead, they are relying on external websites that clearly have not been properly vetted for such use.
The human brain is oriented around visual input. Fusion centers take advantage of that with large monitors providing real-time visualizations. Houston Thomas III, a senior business strategist at CDW•G, writes in a blog post quoted by StateTech Magazine that “advanced platforms go beyond just video and incorporate multiple data sources into their analysis.” He adds, “platforms are often cloud-based and incorporate artificial intelligence and deep learning into their approaches.” Deep learning is a form of artificial intelligence that excels at pattern matching.
They use that data to build significant insights into potentially innocent American lives. For instance, hackers have exposed fusion centers tracking Black Lives Matter protesters. An Oregon attorney named Lauren Regan, the Executive Director of the Civil Liberties Defense Center, represents two climate groups who are suing the Oregon Department of Justice for surveilling them despite not suspecting them of any crimes. She told PBS News Hour, “Oregon, through its fusion center, is spying on lawful political organizations and activists, primarily using digital means, merely because they were advocating, in this case, in opposition to the Jordan Grove LNG Pipeline.” She also alleges that “similar tactics [were] seen during the protests against the Dakota Access pipeline,” according to PBS News Hour.
Three States
The Florida fusion center says that “Fusion centers are the primary conduit between frontline personnel, state, and local leadership which assist in the collective review of information for the purpose of detecting, preventing, and preparing for threats to public health and safety.” While they mention on their web page that they rely in part on the private sector for the identification of trends and “indicators,” they quickly separate that from the public, from whom they accept Suspicious Activity Reports. Florida currently has two recognized fusion centers and five regional fusion centers, which includes three “certified nodes” of the Florida Fusion Centers. The Tallahassee fusion center was established in 2007 and was designated the primary fusion center the next year. The Governor of Florida serves as the head of the Network of Florida Fusion Centers.
The Virginia Fusion Center says its primary mission “is to fuse together key counterterrorism and criminal intelligence resources from local, state, and federal agencies as well as private industries in a secure, centralized location, to facilitate information collection, prioritization, classification, analysis, and sharing, in order to better defend the Commonwealth against terrorist threats and/or attack and to deter criminal activity.” Beyond its anti-terrorism and crime deterrence roles, the Virginia fusion center claims as a secondary mission working with the Virginia Emergency Operations Center to help “provide a comprehensive, coordinated, and effective response” to a terrorist attack or natural disaster. Their in-house units include a Terrorism Intelligence Unit, Cyber Intelligence Unit, Watch Center, Gang Intelligence Unit, and Critical Infrastructure Unit.
The Hawaii fusion center lays claim to being the 77th in the country, “uniquely structured to empower front-line law enforcement, public safety, fire service, emergency response, public health, critical infrastructure partners, and private sector security personnel to understand local implications of national intelligence, thus enabling local officials to better protect their communities.” Notice that the 77th fusion center does not mention terrorism in its self-description. In its description of “What We Do,” they first list Suspicious Activity Reporting, then analysis and dissemination of intelligence. Only after that do they claim in their last sentence of the web page, “The top priorities are counter terrorism and cyber security.” To meet these goals, the Hawaii State Fusion Center partners with the Hawaii high intensity trafficking area, state employees, National Guard, DHS, and FBI. Their “extended” partners include “every major local law enforcement office in Hawaii, critical infrastructure providers, private sector partners … and many others statewide.” At least for Hawaii, although the DHS describes a primarily anti-terrorism function for fusion centers, very little mention on those pages is actually given to terrorism.
Criticisms of Fusion Centers
The American Civil Liberties Union (“ACLU”) found five overarching problems with fusion centers. The first problem, “Ambiguous Lines of Authority” arises from multiple entities working together in a multijurisdictional environment, including shifts between working with state, and local “partners,” it can be unclear who is ultimately responsible. That ambiguous responsibility can include failure to provide complete reporting to oversight authorities and even intentional obfuscation.
That concern is exacerbated in their use of “Private Sector Participation.” Not only are corporations providing data about citizens, but they also participate in the massaging and analysis of the data and may be consumers of the final product. The result of private sector participation is the invasion of privacy of American citizens, especially in situations in which there are data breaches.
The third challenge is the participation of the military. Some fusion centers include military personnel, as is reflected in Hawaii’s own web pages, which are sourced in part from the Hawaii Department of Defense website. While it may be understandable when dealing with terrorist activities off American soil that intelligence agencies would be involved, having the military able to look into your actions at home on American soil reeks of constitutional violations.
Fourth, the fusion centers engage in “Data Mining,” a powerful technique of linking together disparate data sources and deriving potentially meaningful data, especially as it evolves over time. Because data mining uses tools designed to derive data from extremely large datasets that may seem unrelated or are too big for common tools to analyze, their use for predictive policing and link analysis may be particularly threatening to civil liberties for both what they can illuminate and what they can falsely highlight. For instance, a common example to teach the usefulness of data mining to business executives is to show consumption of ice cream over time along with external weather so that new correlations are found (like some flavor sells better during the rain) that may not have otherwise been obvious. Yet, the results can be misleading where the data indicating sales of ice cream flavors was poorly reported in the source data or due to errors in the import process due to sensitivity in how the data is formatted for mining. Data mining extends the threat to privacy because it not only collects information on innocent Americans but potentially exposes actions that are completely legal but inherently private in nature such as investments, manner of worship, or visits to specialized health clinics, assuming those responsible for translating the data do so correctly.
The final concern is the “Excessive Secrecy” surrounding fusion centers. Domestic intelligence must be subjected to stronger oversight under the Constitution so that those who have been accused, as well as the courts that are trying them, can understand how the information was derived and test it against constitutional protections.
The ACLU’s five concerns were outline before the events at the Capitol on January 6, before a massive hack and leak of fusion center documents and participants, and even before the release of a 2012 Subcommittee report detailing fusion center failures. Michael German, a retired FBI agent who focused on domestic terrorism, told PBS News Hour that the events of January 6 showed him just how ineffective the fusion centers had been. Echoing the ACLU’s concerns about ambiguous lines of authority, he said, he “worried that the federal government was promoting them as a way to keep their hands clean, let the state and locals run the centers. That way, when they get in trouble, we will say, not us.”
There have been a large number of disturbing reports on fusion center activities from the ACLU and others that clearly illustrate the above issues. Some of the reports sound remarkably like some of the conspiracy theory speculations that frequent Q-Anon sites. For example, one of the Texas fusion centers put out a bulletin that describes an attempt between Muslim civil rights organizations, lobbying groups, anti-war movement, a former U.S. Congresswoman, the U.S. Treasury, and hip-hop groups to spread Sharia law in the U.S. And the Virginia fusion center found that its state universities and colleges were becoming “nodes of radicalization.” It further identified the “diversity” around a Virginia military base and the state’s Historically Black Colleges and Universities as potential threats. Then in Wisconsin, an analyst from DHS prepared a report about people protesting on both sides of an abortion debate even though no violence was expected. Finally, photography, note-taking, drawing, and collecting money for charity are among the suspicious activities that should be reported according to the Colorado Information Analysis Center because they are among the warning signs of terrorism. By those standards, virtually any activity carried out during the course of a person’s daily life can potentially get the person flagged as a potential threat and subjected to surveillance by a fusion center.
Details
Rutgers University Law School’s Center for Security, Race, and Rights (“CSRR”) studied New Jersey’s fusion center, resulting in the release of a report in March of 2023, “Shining a Light on New Jersey’s Secret State Intelligence System.” Using New Jersey’s Open Public Records Act, CSRR spent a year trying to get information on the New Jersey fusion center. Unsurprisingly, much of the effort was “all but fruitless,” as law enforcement agencies involved stonewalled and equivocated in order to “maintain a wall of secrecy.” Brendan McQuade, Criminology professor at the University of Southern Maine and the author of Pacifying the Homeland, told CSRR that New Jersey’s fusion center, which serves as the Regional Operations and Intelligence Center (“RIOC”), is essentially “a mini-CIA on call for [New Jersey] cops.” This mini-CIA practices counterinsurgency tactics against American communities. They euphemistically call it intelligence-led policing.
As discussed earlier, the DHS’ objective in creating fusion centers was to prevent another 9/11 event from happening. But rather than merely collecting and disseminating (hopefully rare) terrorism related information, the mission has shifted into an “all hazards” approach. Now, the fusion centers like the ROIC have shifted their techniques to examine the lives of common Americans who assume they have nothing to hide. They have collected volumes of information and spent taxpayer money on advanced technologies and staff, but they have “not yet proven to generate valuable and reliable intelligence relating to national security threats,” according to CSRR. Their sole successes have been their aggressive targeting of BIPOC communities, anti-war protesters, and political activists via their surveillance programs. It was not a lack of surveillance or the lack of spending or even a failure of the tools that allowed the takeover of the Capitol on January 6. It seems rather more likely that their focus was elsewhere. However, we may never know as “[e]ven professionals steeped in the language, history, and culture of the national security state know relatively little about what fusion centers actually collect, let alone the ways such information is used to stop terrorism, if at all.”
The New Jersey Office of Homeland Security and preparedness (“NJDHSP”) houses New Jersey’s fusion center, the ROIC, and acts as the point of contact between a variety of state-and federal agencies. Although owned by the state and signed into existence by then Governor Corzine in 2006 via Executive Order 5, the NJDHSP is not part of the state’s Department of Law and Public Safety. A study in 2019 found that roughly half the civilian analysts employed at the ROIC were employees of the Office of Homeland Preparedness. Unlike other agencies, the NJDHSP has no oversight other than the governor’s office. And again, it is the ambiguous lines of authority that arise in a multijurisdictional environment, especially when nearly half the people employed have so little oversight, that make any understanding of what is actually happening inside the facility purposefully impossible to divine.
The ROIC has failed to disclose how many terrorist plots it has quashed. Nor has the ROIC displayed the systems in place to ensure that they are not violating the civil liberties of Americans with unconstitutional surveillance. Instead, they have adopted the Intelligence-Led Policing approach that has been replacing evidence-based investigations with mass data collection in which they report on potential threats. The Brennan Center for Justice concludes in its own report, A Course Correction of Homeland Security, that fusion centers designed for “[s]haring credible information about actual threats of violence is vital. But fusion centers have repeatedly disseminated false, biased, and unreliable information and focused disproportionate attention on minority communities and protest movements—all with minimal security benefit.”
Professor McQuade points out in Pacifying the Homeland that in 2010, approximately 385 parole violators were captured with the assistance of “the ROIC with intelligence compiled by analysts and the two parole officers assigned there full-time.” The ROIC has compiled information to perform warrant sweeps in primarily BIPOC communities. The warrants were almost exclusively of BIPOC people engaging in non-terrorist, non-violent acts. Many of them were for failing to appear in court, child support, drug possession, and—invariably when no other reason can be found—resisting arrest. Despite being sold to the public as anti-terrorism utilities, the massive surveillance system is making possible mass arrests of Americans.
The ROIC did make a report of a potential terrorist attack. In 2008, the ROIC issued a report about how an “Altered Bus in Fairfield, N.J. Presents Concerns.” A bus in Fairfield was pulled over, and it was discovered that the driver had allegedly “modified the bus to avoid fuel taxes.” The analyst pointed out how such alterations could have turned the large bus into an improvised explosive device, not that the bus was so equipped or suspected. “While the N.J. ROIC has not received any specific, credible threats related to altered buses in New Jersey,” the analyst wrote, “this event highlights the devastating capabilities an altered bus could have in terms of casualties or toward infrastructure.” Sadly, as we will later see, such hysterical reports on banal facts being contorted into terrorist potential are not limited to New Jersey.
Professor McQuade writes the following in his book. In the absence of terrorism, fusion center employees “have to use their time and skills constructively” and find new ways “to be valuable to their states.” To meet these practical demands, fusion centers developed to the needs of the police agencies managing them. In this context, fusion center investigators “found” that many acts of terrorism have a “nexus” with crime, which is reminiscent of the famous observation that “if the only tool you have is a hammer, you tend to see every problem as a nail.” Similarly, fusion centers’ information-sharing mission led many to contend that intelligence fusion reveal criminal patterns across jurisdictions.
In essence, the same tools that are used to detect terrorist plots are assumed to be able to predict crimes and therefore provide a means for the fusion centers to prove their worth while they await the next 9/11 to pass across their multitude of screens.
In Camden, N.J., this means that a local ROIC cell monitors over 150 surveillance devices that watch, listen, and otherwise monitor its denizens 24 hours a day. One expert at the ROIC told Professor McQuade that the mere concept of privacy under a city regulated by the ROIC’s watchful eyes and ears becomes a “pedantic concern, and almost abstract formalism.”
Rather than tracking terrorists, the fusion centers have become an “outsourced” intelligence division for local domestic law enforcement, performing crime-mapping and predictive policing. Rather than combatting international terrorism that genuinely poses a danger to the homeland, one analyst says, “a lot of our time is filled up with monitoring trends and data streams, rather than specific cases.”
Despite fusion centers’ immense expense and power, the reflexive efforts at maintaining their opaque practices while endeavoring to peer into the private lives of their citizens is remarkable. CSRR sent out OPRA and FOIA requests for information in March of 2022 to federal and state agencies, including law enforcement, who were involved with the fusion centers. Only one provided a substantive response, and even then, it was largely unhelpful. Most responded that they had no records or asserted statutory reasons they were exempt that required broad or novel interpretations of the law.
Based on their findings, CSRR recommends three structural changes for the NJDHSP and ROIC. The recommendations largely reflect concerns made by other entities with regard to fusion centers. The first recommendation is for the governor to appoint an ombudsman to oversee New Jersey’s intelligence system. CSRR also recommends that the New Jersey legislature mandate regular reporting by the Chief Intelligence Director. The final recommendation is that Civil Society conduct a People’s Audit of the fusion center to determine the privacy impact on New Jersey’s diverse populations.
In 2012, the United States Senate Permanent Subcommittee on Investigations did its own investigation and report, Federal Support for and Involvement in State and Local Fusion Centers. Despite being bipartisan, the report was far more critical than the CSRR, especially since despite their greater ability to demand documents, in two years of examining fusion centers, it ran into many of the same reflexes of fusion centers to keep their cards close to their vest. DHS officials at times failed to disclose or even acknowledge to the Subcommittee non-public evaluations that highlighted problems within fusion centers. Likewise, the DHS overstated success stories and, at one point, falsely claimed the existence of certain fusion centers.
The Subcommittee also found that: DHS-assigned agents to the fusion centers forwarded “intelligence” of uneven quality—oftentimes, shoddy, rarely timely, sometimes endangering citizens’ civil liberties and Privacy Act protections, occasionally taken from already published sources, and more often than not unrelated to terrorism.
One story that came out of the 2012 report that must have been frustrating for the Subcommittee but is also darkly humorous has to do with a self-evaluation the DHS performed in 2010 with regard to fusion centers. When the Subcommittee asked for access to the report, the DHS denied the report existed. However, in June of 2011, the Subcommittee was interviewing a senior DHS official who was unaware that the existence of the report had already been denied. When the official presented a copy of the in-extant report, DHS officials at the interview refused to leave it with the Subcommittee as “they needed time to resolve their concerns about agreements of confidentiality allegedly made with fusion centers.” Somehow, these agreements allegedly prevented DHS from sharing the reports with Congress, as though DHS could thwart Congress’ oversight responsibility and power by contracting its way around them.
The Subcommittee naturally requested copies of the confidentiality agreements. There were none, since it turned out the agreements were oral “assurances.” When pressed as to who made the agreements, the officials pointed to the office of the Program Manager for the Information Sharing Environment (“PM-ISE”). The PM-ISE did not recall any such agreements, though they did find “certain assurances” made during a 2009 pilot study. So, it “is not clear if similar assurances were given in 2010, but this appears likely as the same considerations … were present, and as a result, confidentiality was important to achieving: goals of the assessment,” the PM-ISE claimed.
With the existence of the report established and the nature of the oral assurances understood, they were on-track to receive the report cards. Those came after the Subcommittee received a letter from the National Fusion Center Association (“NFCA”), a non-governmental organization that advocates for fusion centers. The letter explained that NFCA had “authorized” DHS to share the report cards with Congress. A private group, funded by money from corporations like Microsoft and Mutualink, whose primary purpose is to help fusion centers access more federal dollars so that they can purchase more technology conveniently sold by the group’s sponsors, told the Subcommittee it had authorized the Department of Homeland Security to submit to Congress. This is definitely not how congressional oversight and our system of checks and balances work.
The NFCA’s director was called to the Subcommittee. During the meeting, W. Ross Ashley III said he no longer stood by the language of the letter. “Maybe the term ‘authorized release’ wasn’t appropriate,” he conceded them. He added that the phrasing was “a little boisterous on our part.”
This clearly illustrates the problem of the ambiguous lines of authority. Among the many answers about the existence of the 2010 report was the argument that the report was requested by an external agency so that it was not available for the DHS to give out. These types of ambiguities are heightened as authorities shift from federal to state and private enterprise. There is no single office to whom its participants and targets can report or appeal.
One such finding by the Subcommittee that the report failed to clarify had to do with the use of private contractors. The Senate report did notice that fusion centers rely on contractors, sometimes outnumbering government employees within a fusion center. Some of those contractors were found to be “under-trained or poor performers.” The website POGO.org points out that if contractors outnumber government employees, there is a good chance they are “directing and controlling” aspects of the fusion center’s operations, which goes against federal contracting law that mandates “the direction and control of intelligence and counterintelligence operations” as a function that must be performed by a government employee.
Professor McQuade hammers home the problem well in his book: “On paper, fusion centers have the potential to organize dramatic surveillance powers. In practice, however, what happens at fusion centers is circumscribed by the politics of law enforcement. The tremendous resources being invested in counterterrorism and the formation of interagency intelligence centers are complicated by organization and jurisdictional rivalries. The result is not a revolutionary shift in policing but the creation of uneven, conflictive and often dysfunctional intelligence-sharing systems.”
One of the key findings in the 2012 report by the Subcommittee was the low quality of the terror reports. As part of their review, the Subcommittee examined raw intelligence reports drafted by state and local fusion centers. All told, there were 610 draft reports, all of which came from 31 states, meaning fusion centers in 19 states made no report at all. Three states were responsible for 72.5% of the submitted reports by DHS detailees at fusion centers—Texas, California, and Arizona—with Texas nearly doubling Arizona’s count. Quantity is not quality, however, as nearly a third of the nation’s reports were canceled due to lacking useful information, Privacy Act violations, and more.
Some of the reports found by the Subcommittee had “nothing of value.” One Homeland Intelligence Report (“HIR”) notified its potential readers that a certain model of car had a folding rear seat that allowed for access to the trunk without getting out of the car. That vehicle, the author argued, could be used for human trafficking. A review commented, “This is common knowledge,” adding that a folding rear seat “is featured on MANY makes and models of vehicles.”
One HIR out of Texas reported on a man standing under a bridge near the U.S.—Mexico border. When a deputy sheriff approached the man, he self-identified as a former gang-member, though that gang had no known activity in the area. There was no arrest and no contraband found, but there were footprints. Despite reviewer comments like “[t]his report does not provide the who, what, when, where, how” it took seven months for the report to be canceled.
There was a total of 188 canceled reports during that period. Others reported methamphetamine manufacturers, cocaine possession busts, and an automobile crash by a former Afghan translator for the U.S. Army. Yet another HIR draft quoted a news article about a Mexican ambulance refusing to transport a Mexican victim of drug violence.
The canceled reports covered inane to invasive topics having nothing substantive to do with keeping America safe from terror attacks. One submitted report covered a list of books recommended by a Muslim community group. The suggestions titled Ten Book Recommendations for Every Muslim contained four books authored by people with records in the Terrorist Identities Datamart Environment. The report was canceled because there was nothing showing that the titles contained anything about terrorism or other criminal/violent activity. Another reported on a California biker gang producing a leaflet telling its members how to stay out of trouble with the law. Yet another reported a U.S. citizen who gave a day-long motivational speech and lecture to a Muslim group on positive parenting. Of the canceled drafts that overstepped legal bounds, over half appeared to come from a single intelligence officer. That officer’s poor performance earned them informal counseling rather than penalty, reprimand, formal counseling, or any other form of actual consequence.
Of the 384 reports that did eventually get published, nearly 300 had no discernible connection to terrorism. Instead, the national network was loaded with alien smuggling, drug smuggling, and common criminal behavior. Of the HIRs that actually may have been terrorism related, they were often out of date, duplication of the work of others, and/or based on publicly available news accounts. One officer wrote about how the Fort Hood shooter in 2009 was praised by the U.S. born cleric Anwak Nassar Al-Awlaki. Despite being four days after new organizations had reported the same thing, the HIR was circulated all the way up to the White House Briefing Room. The author of the HIR even cited it as a signature accomplishment.
What Hackers Have Shown Us
This truth cannot be overstated: Any computing device connected to a network is vulnerable. The single best protection against hackers comes from physical space between a hacker and a computer in isolation—a so-called air-wall. And, depending on your level of paranoia, even that may not be enough. It is also the case that when an intelligence operation relies on contractors, external networks, and private enterprise software it is impossible to fully vet for security problems, thus hacking is going to occur.
A recent attack of a company out of Houston, Texas, made public the data of 700,000 police officers. The company is Netsentials, and it hosted 251 law enforcement websites, including the sites of fusion centers such as the Northern California Regional Intelligence Center, with its 28,114 accounts, all hosted on the same vulnerable content management system (“CMS”). Distributed Denial of Secrets (“DDoSecrets”) published 269 GB of data collected on a peer-to-peer file sharing system technology called BitTorrent, as well as on its own website.
The hack was performed by a collective that calls itself Anonymous, but it could be argued they were helped by the terrible design of the CMS that used Microsoft Access for its backend data and VBScript for its page manipulation code. They could have used a highly secure database platform called SQL Server that Microsoft provides. ASP.Net is designed to take advantage of SQL Server’s many security and performance features with very little coding necessary to connect them. Likewise, ASP.Net itself takes advantage of the highly secure Common Language Runtime. Yet, it appears Netsentials’ developers ignored security considerations for the lower cost by using Access, or it could be they simply lacked the skillset necessary to understand the risks their code and database choice presented.
The content of the websites’ databases included email addresses, home addresses, and cellphone numbers; the full name and rank, as well as the agency of the account holders; and often a password hash. Netsential’s clientele included some very large government centers. The National Guard drug training program had more than 200,000 accounts. The Los Angeles High Intensity Drug Trafficking Area had more than 150,000 accounts. In fact, many of these accounts belonged to fusion centers. There were also a large number of local police and training academies. Beyond law enforcement, there were also organizations that partner with law enforcement. Included were websites like the Houston Police Retired Officers Association.
The above disclosures mean that a significant number of officers and their families are exposed to the world. It strongly illustrates the risks of using off-the-shelf products to store and communicate sensitive data. In addition to the officers, a substantial number of documents retrieved dealt with Suspicious Activity Reports that included personal data of those people being reported.
One woman whose data might have been exposed in the raw data had written to attorneys in the aftermath of George Floyd’s death. She was a political science major in Oregon and trying to help protesters acquire pro bono legal assistance. She wrote, “I am a longtime activist and ally of the Black Lives Matter movement. Is there anyway (sic) that I could add your firm, or consenting lawyers under your firm, to a list of resource who will represent protesters pro bono if they were/are to be arrested? Thank you very much for your time.”
Clearly, this woman was a terrorist, and the angry email recipient reported her to the authorities. In all caps, he wrote, “PLEASE SEE THE ATTACHED SOLICITATION I RECEIVED FROM AN ANTIFA TERRORIST WANTING MY HELP TO BAIL HER AND HER FRIENDS OUT OF JAIL, IF ARRESTED FOR RIOTING.” This brave Bay Area attorney submitted the report anonymously as he “CANNOT RISK THIS PIECE OF SHIT ANTIFA […] FILING A BAR COMPLAINT AGAINST ME.” After a warning that the San Francisco public defenders would protect people like her, he signed off with “HAPPY HUNTING”.
Somehow, an investigator at the Marin County DA’s office thought the tip worth reporting to the Northern California Regional Intelligence Center’s CMS. She uploaded it as a PDF scan of the letter sent by the attorney. The student’s name was on the subject line, and it was categorized as “Radicalization/Extremism.” Her summary said, in part, the student “appears to be a member of the Antifa group and is assisting in planning protesting efforts in the Bay Area despite living in Oregon.” Not only did the recipient attorney take the original letter out of context, the investigator actually exaggerated it further so that if you read the letters in reverse order, it would not be obvious they were talking about the student.
Among the downloaded data were more than 1,200 reports. They showed law enforcement leadership concerned about potential Antifa threats and “black racially motivated violent extremists.” Included were intelligence reports from federal and local agencies drawn from Slack channels and online messaging boards. They also tracked Facebook RSVPs to a suburban candlelight vigil and peaceful protester events. For example, the Hennepin County Sheriff’s Office even kept track of RSVPs to the “Peace and Prayers BBQ” at a church and a candlelight vigil in Maple Grove. Other reports also suspected that “forest jihadis” might engage in arson attacks during the California wildfires.
It seems that roughly a decade after the Subcommittee report, there was little improvement. The quality of reports had not improved. They continue to intrude on the lives of normal citizens who have no idea they are being tracked or why. Meanwhile, they strive to extract their data from Americans almost entirely without oversight. It reflects their understanding that their actions and comments would not sit well with the public. Judging by the documents seen here, they have good reason to think that. Operating in secrecy and ambiguity leaves them unmoored to the production standards expected of law enforcement.
Changes
The state of Maine found itself at the focal point of attention after DDoSecrets released the “BlueLeaks” documents. Some 2,961 documents from the Maine Information and Analysis Center (“MIAC”) were found in the records, illustrating many of the same problems other fusion centers have shown throughout the country, from a lack of oversight to having “a bad reputation for being amateurs, they have a reputation for incompetence and abusive behavior,” Professor McQuade told The Intercept.
The first real rumbles of dissent against MIAC came when George Loder, a 26-year veteran of the Maine State Police, sued MIAC and its supervisors for retaliating against him when he questioned its practices. He claimed in his suit that the center was monitoring people engaged in legal activities like purchasing a firearm. The center also collected information about people attending the Seeds of Peace summer camp for Israeli and Palestinian youth. Shortly after Loder’s lawsuit was dismissed on purely technical grounds, BlueLeaks confirmed his claims.
Among the data, it was shown that MIAC analysts had read far right conspiracy theorists posts about George Floyd protesters planning violence, which they forwarded. One anonymous Twitter account (now X) claimed that bricks were being staged by Antifa to fuel violent actions, resulting in another credulous report by a MIAC analyst. They were also concerned about two young girls in hijabs recording video and taking photos outside a juvenile court.
It was becoming clear that Maine’s residents were not getting their money’s worth from MIAC. In 2018, the MIAC had itself found “no specific, credible intelligence to indicate a terrorist threat to the state of Maine.” Rather than terrorism, their biggest threat came in the form of opioids. As a result, a non-partisan bill sought to reduce the scope of the $800,000 annual budget of MIAC. But that bill was defeated in the state Senate.
However, the Maine state House and Senate tried again. Rather than defunding MIAC, they passed HP947, An Act to Increase the Transparency and Accountability of the Maine Information and Analysis Center. Under the bill, a new Auditor position within the Office of the Attorney General will conduct regular reviews of MIAC activities to be shared with the public. Possibly more importantly, any information MIAC shares with a private entity becomes public record and is accessible by the public. The hope is that Maine is the first domino to fall and that other states will soon follow.
Sources: ACRECampaigns.org [DHS: Open for Business], hsgac.senate.gov, Rutgers University Center for Security, Race and Rights, StateTechMagazine.com, brennancenter.org, DHS Fusion Center Engagement and Information Sharing Strategy for 2022-2026,Fusion Center Guidelines, brookings.edu, dhs.gov, cfr.org, Fusion Center Technology Guide, cdt.org, dod.hawaii.gov, hawaiifusioncenter.org, fdle.state.fl.us, fusion.vsp.virginia.gov, pbs.org, eff.org, theintercept.com, pogo.org, washingtonpost.com, aclu.org
As a digital subscriber to Criminal Legal News, you can access full text and downloads for this and other premium content.
Already a subscriber? Login