DHS Ousts CBP Privacy Officers Who Questioned ‘Illegal’ Orders

This year, the U.S. Department of Homeland Security removed several Customs and Border Protection officials from their posts after they objected to orders to mislabel documents about surveillance technologies and block their release under the Freedom of Information Act, WIRED has learned.

Since January, DHS leaders have reassigned two of the top officials responsible for ensuring that CBP’s technologies comply with federal privacy law, according to multiple sources with knowledge of the situation. These sources were granted anonymity because they fear government reprisals.

The reassignments follow December orders from the DHS Privacy Office to treat routine compliance forms as legally privileged and to characterize signed privacy assessments as “drafts” exempt from disclosure under the Federal Records Act.

Among those removed are CBP’s top privacy officer and one of two heads of the agency’s privacy branch. The director of CBP’s FOIA office was also fired last month.

DHS ordered the adoption of new privacy rules, according to sources, after a CBP FOIA officer legally released a redacted privacy assessment, triggering backlash from DHS political leaders. The document, known as a Privacy Threshold Analysis, or PTA, was obtained by 404 Media last fall, providing the only official government record of Mobile Fortify, a previously hidden facial recognition app.

PTAs are a mandatory compliance form, a questionnaire that describes the basic mechanics of new government systems that use or collect personal data. It also indicates whether privacy officials approved the system or ruled that the government was legally required to take a closer look at its impact on people’s privacy.

In the case of Mobile Fortify, the public learned through the published PTA that DHS acknowledged that the app would capture people’s faces and fingerprints without their consent; that U.S. citizens and lawful permanent residents would inevitably be among those photographed; and that every image taken, whether it matched someone or not, would be kept for up to 15 years.

Calling the document a “draft” would ostensibly strengthen the agency’s ability to bury such revelations by using an exception in the FOIA that protects “advisory opinions” and “recommendations.” Sources say the removed privacy officers viewed the tactic as legally inconsistent, arguing that a completed compliance form could not be simultaneously signed and considered a draft.

“This policy change is illegal,” says Ginger Quintero-McCall, an attorney at the public interest law firm Free Information Group and a former surveillance information law attorney at the Federal Emergency Management Agency, a component of DHS. “There is nothing in FOIA – or any other law – that allows the agency to categorically refuse privacy threshold analyses.”

Quintero-McCall says she witnessed retaliation at work before leaving government last year. “It would not surprise me at all to learn that the administration has reassigned employees who opposed this illegal policy of secrecy.”

A DHS spokesperson told WIRED on Monday: “Any allegation that DHS has adopted a policy exempting analyzes from the confidentiality thresholds of the Freedom of Information Act is FALSE. »

Internal emails show otherwise.

On December 3, the DHS Privacy Office announced a “major change” requiring all future PTAs to carry a disclaimer stating they are exempt from public release. The disclaimer reads in full:

“This is a pre-decisional, deliberative draft document intended for official use only. It is subject to deliberative privilege and attorney-client privilege. It should not be published, shared, or distributed outside of authorized channels without prior consultation and approval of the Department of Homeland Security’s Office of Privacy. Unauthorized disclosure may result in administrative, civil, or criminal penalties.”

CBP privacy officers, such as those reassigned, have historically not approved privacy reviews. Under previous administrations, this responsibility fell to a headquarters official working directly for the department’s privacy officer. The current chief privacy officer, Roman Jankowski, delegated that authority down in one of his first acts in office, as WIRED previously reported.