Skip to content
Naked Security Naked Security

DOJ lets itself off the privacy hook

The Department of Justice has excused its insider threat database from multiple provisions of the 1974 Privacy Act

The ever-growing pile of evidence that privacy is dead just got a bit larger.

Last week, privacy advocates lost another round with the US Department of Justice (DOJ) in the battle over the relatively unfettered collection, analysis and distribution of massive amounts of personal data of those both in and outside of government.

The DOJ’s goal is both laudable and necessary – the mitigation of insider threats. But, its method of reaching that goal involves eliminating significant protections for another crucial goal of a free society – personal privacy.

In a “final rule”, the DOJ excused its insider threat database – officially the “DOJ Insider Threat Program Records” – from multiple provisions of the 1974 Privacy Act.

The Electronic Privacy Information Center (EPIC), which filed objections to the exemptions when they were first proposed in June, noted that the database includes:

… detailed, personal data on a large number of individuals who have authorized access to DOJ facilities, information systems, or classified information, including present and former DOJ employees, contractors, detailees, assignees, interns, visitors, and guests. The scope of ‘insider threat’ is broad and ambiguous; the extent of data collection is essentially unbounded.

It added that the DOJ, “proposes to disclose information within the Database to multiple entities not subject to the Privacy Act, including state, local, tribal, or foreign law enforcement, private organizations, contractors, grantees, consultants, and the news media.”

Most of the people whose data is being collected, analyzed and shared, EPIC noted, aren’t under suspicion or the target of any investigation. And the “insider threat” information collected is not just used for law enforcement or intelligence purposes. It can then be shared with other agencies for what amounts to human resources purposes like hiring, retention, promotions and deployments.

The DOJ, which rejected all of EPIC’s requests to narrow or eliminate the exemptions, said they are all necessary to, “avoid interference with efforts to detect, deter, and/or mitigate insider threats.”

In response to EPIC’s request that only “relevant and necessary” records are maintained to detect and prevent insider threats, DOJ argued that it is impossible to say at the time data is collected whether some of them might become relevant later.

It said it protects the security and confidentiality of the data with, “appropriate administrative, technical and physical safeguards,” and is in compliance with multiple security standards, including those of NIST (National Institute of Standards and Technology) and the federal Office of Management and Budget (OMB).

That draws some intense skepticism from Shahid Buttar, director of grassroots advocacy at the Electronic Frontier Foundation (EFF), who said because he was recruited in 1999 by the State Department and submitted an application, he was one of the 22 million current, former and even potential federal employees, “whose information submitted through the security clearance process ended up in the hands of Chinese intelligence agents” – the result of the notorious 2014 Office of Personnel Management breach.

“The relatively unbounded information that DOJ seeks for the Insider Threat system is not only overbroad, but also creates unnecessary security risks given its tremendous sensitivity,” he said.

Still, in response to EPIC saying that those whose personal information is collected ought to be able to have access to it and amend things that are incorrect, the DOJ said doing so:

… could compromise or lead to the compromise of information classified to protect national security; disclose information that would constitute an unwarranted invasion of another’s personal privacy; reveal a sensitive investigative or intelligence technique; disclose or lead to disclosure of information that would allow a subject to avoid detection or apprehension; or constitute a potential danger to the health or safety of law enforcement personnel, confidential sources, or witnesses.

The DOJ, noting that its data collection is, “for authorized law enforcement and intelligence purposes,” said it “follows lawful, vetted investigative practices and procedures.”

It claimed that it, “takes seriously its obligations to protect the privacy of Americans,” and said it might even waive one or more of the exemptions on occasion. But, of course, the decision to do that would be, “in its sole discretion” – a phrase that appears several times in the document.

Along with EPIC, other privacy advocates like Buttar say “final rules” like this make the DOJ essentially an unaccountable law unto itself.

Buttar suggested that government collection of data on “insiders” is as much, or more, about protecting itself as it is about protecting the nation:

“The Insider Threat program is itself a threat to the national security of the United States, by insulating from public accountability executive agencies that have repeatedly violated their constitutional and statutory limits,” he said. “Whistleblowers are conscientious public servants who advance the public interest by revealing fraud, waste, and abuse. They are heroes, not threats.”

Those arguments have obviously not swayed the DOJ. But that doesn’t mean privacy advocates are entirely out of options.

Final rules can be challenged through “judicial review” – a lawsuit.

And EPIC president Marc Rotenberg said Congress, the Privacy and Civil Liberties Oversight Board (PCLOB) and the Chief Privacy Officer (CPO) for the DOJ all have some oversight authority for enforcement of the Privacy Act and reviewing government agency surveillance.

“EPIC has frequently written to Congress, PCLOB, and agency CPOs about similar issues,” he said. “And we will now add the DOJ Insider Threat database to our list of programs that we expect officials charged with oversight of the DOJ to investigate.”


In related news, I recently absolved myself of the burden of paying taxes.
Come on everyone; first round of IPAs (or choose your poison) is on me!


> “DOJ argued that it is impossible to say at the time data is collected whether some of them might become relevant later.”
They might as well store the PII of a month-old baby because he could go to work for DOJ 25 years later.


hmmm, “sounds like” the DOJ is posturing itself to be exempt from laws, just before it’s about to be exposed that they leaked everything that have to China or some hacker group.


An organization can keep records of the people to whom it has granted access to its data. The thing is; this is a huge organization, so the list is very long.


I hope that every single one of these data leaks over the last three years have included every single Senator, Congressman, police officers, local officials, any organization that has actively seen fit to use our data to their advantage, not ours. Then, and only then, will something actually be done about this atrocity! I’m serious, senators Facebook owner, Twitter CSO and Microsoft Executives ! I hope every single one of their social security numbers have been posted to the dark web, and then sold to the Russians!


I’m with you on the Senators and Congressman, but police officers, local officials (town selectmen/mayors,) don’t make policy/decisions around PII.


No they don’t make policy, but they sure are quick to ask for unwarranted information on us anytime they want. I have no sympathy for them either.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!