William M. Arkin on National and Homeland Security

The Pentagon Breaks the Law

The National Security Agency story has pushed military spying on anti-war groups off the front pages, and the Pentagon appears to have seized upon administrative error to explain away its slide into domestic spying.

The Department of Defense now says that analysts may not have followed the law and its own guidelines that require the purging of information collected on U.S. persons after 90 days. The law states that if no connection is made between named persons and foreign governments or transnational terrorist organizations or illegal activity, U.S. persons have a right to their privacy and information about them must be deleted.

Thanks to RL, I now know that the database of "suspicious incidents" in the United States first revealed by NBC Nightly News last Tuesday and subject of my blog last week is the Joint Protection Enterprise Network (JPEN) database, an intelligence and law enforcement sharing system managed by the Defense Department's Counterintelligence Field Activity (CIFA).

What is clear about JPEN is that the military is not inadvertently keeping information on U.S. persons.  It is violating the law. And what is more, it even wants to do it more.

Follow-up reporting on the Pentagon spying story -- both by this newspaper and by the New York Times -- mistakenly refers to the suspicious incidents database that I obtained for the time period July 2004-May 2005 as the TALON database, for the Threat and Local Observation Notice reporting system.

TALON, according to the Pentagon, is merely a non-threatening compilation of "unfiltered information."

The data on incidents is used "to estimate possible threats," DOD says. "It is in effect, the place where DOD initially stores "dots," which if validated, might later be connected before an attack occurs," the department says in a written statement prepared for reporters.

"Under existing procedures, a "dot" of information that is not validated as threatening must be removed from the TALON system."

But JPEN is more than just a compilation of TALON's. It is a near real-time sharing system of raw non-validated force protection information among Department of Defense organizations and installations. Feeding into JPEN are intelligence, law enforcement, counterintelligence, and security reports, TALONs as well as other reports.

JPEN shares this information at all levels, from military police guarding entry gates at military bases to terrorism warning watch standers at the Defense Intelligence Agency. JPEN began as a pilot project in the Washington, D.C. area and was initially fielded in June 2003.

Under the provisions of the Privacy Act of 1974 (5 U.S.C. 552a), the military can maintain information on specific individuals (name of individual or other personal identifiers such as Social Security number or driver's license number) in the JPEN database system for 90 days.  JPEN then is supposed to purge all Privacy Act information after 90 days, unless it is part of an ongoing investigation.

From the beginning of JPEN, system designers have attempted to balance their task of collecting and retaining information of intelligence and warning value with the longstanding "intelligence oversight" and Privacy Act restrictions. According to a JPEN classified briefing obtained by this blogger, the 90-day "data content limit creates issues for long-term correlation and analysis."

In other words, how can the military connect the dots if it is restricted to a 90-day deadline? According to the briefing the NORTHCOM says it will "continue to purge required information IAW [in accordance with] the law" but it is also working "privacy act restrictions with legal office to retain information previously subject to purging."

Evidently though, the JPEN maintainers didn't abide by the law, and the collectors feeding TALON and other reports into the system overreached in monitoring and retaining information on anti-war and anti-military organizations of no conceivable threat.

The managers of JPEN are hardly being inadvertent about either the 90-day restriction or the intentional collection of information on U.S. persons.  So far, it appears that they have broken the law. And what is more, they are agitating internally to find ways of circumventing the legal restrictions.