The US Department of Homeland Security removed multiple career Customs and Border Protection officials from their roles this year after they objected to orders to mislabel records about surveillance technologies and block their release under the Freedom of Information Act, WIRED has learned.
Since January, DHS leaders have reassigned two of the top officials responsible for ensuring that CBP technologies comply with federal privacy law, according to multiple sources with knowledge of the situation. These sources were granted anonymity because they fear government retribution.
The reassignments followed December orders from the DHS Privacy Office to treat routine compliance forms as legally privileged, and to label signed privacy assessments as “drafts” exempt from disclosure under federal records law.
Those removed include CBP’s top privacy officer and one of the agency’s two privacy branch chiefs. The director of CBP’s FOIA office was also removed last month.
DHS ordered the new secrecy rules, sources say, after a CBP FOIA officer lawfully released a redacted privacy assessment, triggering backlash from DHS political leadership. The document—known as a Privacy Threshold Analysis, or PTA—was obtained by 404 Media last fall, providing the only formal government record of Mobile Fortify, a previously hidden face recognition app.
PTAs are a required compliance form, a questionnaire that describes the basic mechanics of new government systems that use or harvest personal data. It also records whether privacy officers approved the system or ruled the government was legally required to look closer at how it impacts people’s privacy.
In the case of Mobile Fortify, the public learned from the released PTA that DHS had acknowledged the app would capture people’s faces and fingerprints without their consent; that US citizens and lawful permanent residents would inevitably be among those photographed; and that every image taken, regardless of whether it matched anyone, would be stored for up to 15 years.
Labeling the document a “draft” would ostensibly bolster the agency’s ability to bury such revelations using an exception in FOIA that protects “advisory opinions” and “recommendations.” Sources say the privacy officials removed from their posts saw the tactic as legally incoherent, arguing that a completed compliance form could not be simultaneously signed and considered a draft.
“This policy change is illegal,” says Ginger Quintero-McCall, an attorney at the public interest law firm Free Information Group, and former supervisory information law attorney at the Federal Emergency Management Agency, a DHS component. “There is nothing in the FOIA statute—or any other statute—that allows the agency to categorically withhold Privacy Threshold Analyses.”
Quintero-McCall says she witnessed retaliation on the job firsthand before leaving the government last year. “It would not surprise me at all to learn that the administration reassigned employees who objected to this illegal policy of secrecy.”
A DHS spokesperson told WIRED on Monday, “Any allegation that DHS adopted a policy making Privacy Threshold Analyses exempt from the Freedom of Information Act is FALSE.”
Internal emails show otherwise.
On December 3, the DHS Privacy Office announced a “major change” that required all future PTAs to carry a disclaimer marking them exempt from public release. The disclaimer reads in full:
“This is a draft document that is pre-decisional, deliberative, and is designated For Official Use Only. It is subject to the deliberative process privilege and attorney client privilege. It is not to be released, shared, or distributed outside of authorized channels without prior consultation and approval from the Department of Homeland Security Privacy Office. Unauthorized disclosure may result in administrative, civil, or criminal penalties.”
CBP privacy officers, such as the ones reassigned, have not historically signed off on privacy reviews. Under previous administrations, that responsibility rested with a headquarters official working directly for the department’s chief privacy officer. The current chief privacy officer, Roman Jankowski, delegated that authority downward in one of his first acts in office, as WIRED previously reported.
