[Infowarrior] - Texas' new version of TIA

[Richard Forno]

(c/o Dangerroom)

Printed from http://new.texasobserver.org/article.php?aid=2472
April 20, 2007 ‹ Features
The Governor's Database
Texas is amassing an unprecedented amount of information on its citizens
by Jake Bernstein


Piece by piece, Gov. Rick Perry¹s homeland security office is gathering
massive amounts of information about Texas residents and merging it to
create the most exhaustive centralized database in state history. Warehoused
far from Texas on servers housed at a private company in Louisville,
Kentucky, the Texas Data Exchange‹TDEx to those in the loop‹is designed to
be an all-encompassing intelligence database. It is supposed to help catch
criminals, ferret out terrorist cells, and allow disparate law enforcement
agencies to share information. More than $3.6 million has been spent on the
project so far, and it already has tens of millions of records. At least
7,000 users are presently allowed access to this information, and tens of
thousands more are anticipated.

What is most striking, and disturbing, about the database is that it is not
being run by the state¹s highest law enforcement agency‹the Texas Department
of Public Safety. Instead, control of TDEx, and the power to decide who can
use it, resides in the governor¹s office.

That gives Perry, his staff, future governors, and their staffs potential
access to a trove of sensitive data on everything from ongoing criminal
investigations to police incident reports and even traffic stops. In their
zeal to assemble TDEx, Perry and his homeland security director, Steve
McCraw, have plunged ahead with minimal oversight from law enforcement
agencies, and even DPS is skittish about the direction the project has
taken.

In researching TDEx, the Observer reviewed more than a thousand pages of
documents from the Office of the Governor, DPS, and the Department of
Information Management. We interviewed law enforcement officials as well as
McCraw. The narrative that emerged from the records‹disputed by McCraw‹is a
headlong pursuit of control through information hoarding for a project in
search of a purpose. Along the way, money has been squandered, sensitive
data potentially lost, and security warnings unheeded.

If information is power, Perry and his successors are about to become
powerful in ways that are scaring civil libertarians, and probably should
alarm every Texan.

Texas agencies already have plenty of information on all of us‹driver¹s
licenses, fingerprints, and proofs of address, details we provide every time
we renew our licenses, register a car, or vote. Then there¹s every brush
with the law, all the criminal convictions, prison records, and so forth.
Much of that information is now scattered about in different agencies and
locations. Never has it been pulled together for the ease of access that
TDEx promises.

There¹s also a less discernible realm of information that should perhaps
concern the citizens of Texas more. In the course of doing their work,
police agencies vacuum up enormous piles of tips, rumors, innuendo, guesses,
false reports, and other useless material that they sift through to solve
crimes and identify criminals.

Access to this massive trove of information‹files on cases in progress,
notes about ³persons of interest² who may prove to be of no interest at all,
details involving confidential informants‹is closely guarded for good
reason. Information worthless for solving a crime might be useful in other
contexts. Like politics or personal revenge. The potential for abuse
explains why access to existing federal and state crime databases is
normally strictly controlled. Over the years‹in the wake of scandals like J.
Edgar Hoover¹s secret FBI files and the increasing privatization of computer
databases‹federal regulations have evolved to ensure the safety of
information and accountability for its use. Keeping a tight rein on who can
access raw investigative data, and for what purposes, is supposed to prevent
abuses large and small‹from high officials who might misuse information for
political purposes down to small town deputies who might be willing to sell
information, or use it to track down an ex-wife¹s new boyfriend.

The federal rules apply to states that accept federal money and ensure the
integrity of law enforcement efforts. Under federal rules, a database like
TDEx must be run by a criminal justice agency. According to the FBI and DPS,
Texas Homeland Security is not a criminal justice agency.

McCraw, who has an extensive criminal justice background, including a stint
as an assistant director of the FBI¹s Office of Intelligence, has fought a
pitched battle with DPS in his zeal to promote TDEx. Repeatedly DPS has
raised concerns, chief among them whether the new database is even secure
enough to keep unauthorized users from logging on because it lacks ³advanced
authentication² to ensure that people accessing the database are who they
say they are. DPS is also worried that the same user could be logged on to
the system multiple times concurrently.

Then there¹s the problem of getting rid of bad data or faulty intelligence
that finds its way into the system. Each agency that gives data to TDEx is
responsible for the accuracy of its own information. But where once the
mistake of a single police department was its own, TDEx offers the potential
to amplify that error statewide.

To identify weaknesses within TDEx, a database manager with the DPS Criminal
Law Enforcement Division, at the direction of his boss, easily defeated the
security of the user registration process last summer. He did it by
employing an accurate and relatively easily obtained agency identification
number, and used one of his son¹s e-mail accounts. In retaliation, Jack
Colley, the governor¹s director of emergency management, revoked the DPS
staffer¹s access to TDEx. After DPS complained, it was reinstated 11 days
later.

McCraw says the audit and authentication issues raised by DPS have been
resolved. He says that an on-again, off-again Texas Intelligence Council of
law enforcement officials will eventually supervise TDEx. McCraw blames DPS
reluctance to embrace TDEx on its fear of change. ³You are going to see a
strong resistance institutionally to move to new things,² he says.

Remarkably, in many ways TDEx seems to be an improvement over Texas Homeland
Security¹s first stab at a database run by a private contractor. On June 27,
2005, the Department of Information Resources, at McCraw¹s behest, sent out
a ³request for offer² to vendors that could provide a ³Solution for Local,
Intra-State, and Inter-State Sharing of Offender and Other Investigative
Data.² DPS was not consulted in the development of the offer request. The
resulting contract given to Kentucky-based Appriss Inc. would initially be
worth a little more than $759,000.

The information department, which handle¹s the state¹s computer needs,
originally was supposed to monitor how well Appriss did the job, but that
arrangement quickly ran into a problem. Under federal law‹relevant because
federal money was being used‹the contract had to be overseen by a criminal
justice agency. So McCraw simply designated the department as one. ³I am
writing to confirm the Texas Department of Information Resources (DIR) is an
agency with law enforcement functions for the purpose of TDEx,² he wrote to
Larry Olson, the department¹s chief technology officer.

While TDEx was getting under way, on August 29, 2005, Hurricane Katrina hit
New Orleans. As Texas cities filled with Louisiana refugees, panic over the
possible arrival of a criminal element from New Orleans seems to have
gripped some Texas authorities. McCraw proposed a separate database that
would group traffic law enforcement information, DPS criminal law
enforcement reporting, the Texas Rangers database, consumer records amassed
by a scandal-ridden private data company called ChoicePoint Inc., prison
records from Appriss, and criminal information from the Louisiana State
Police. (There are differing accounts of whether polygraph information, the
inclusion of which if not redacted could have violated state law, was also
provided. McCraw says no.) A private vendor was to create a global search
capability for all the unstructured data. This new database would then be
made available to analysts at the Texas Fusion Center, a crisis management
bunker operated by the governor¹s Division of Emergency Management. McCraw
rushed through a contract with Northrop Grumman Corp. for a database project
to last until October 2006 at a cost of $1.4 million in federal homeland
security funds.

³The Louisiana State Police has informed Texas officials that known
criminals are among our evacuee population,² reads a statement of work for
Northrop. ³Moreover, we have been told that many of the individuals who were
involved in heinous crimes at the Superdome are now a part of our evacuee
population. There is a critical need to immediately collect and analyze
criminal data related to evacuees and provide it to local law enforcement
officials throughout Texas. This requires the rapid acquisition of
information technology tools.²

McCraw says today that the purpose of the project was to help DPS coordinate
its criminal justice information. According to several accounts, DPS
officials resisted this ³help,² and its Criminal Law Enforcement Division
only handed over data‹including open cases still under investigation‹after
being ordered to do so.

By the summer of 2006, it was clear that Northrop could not make the project
function and that the threat from Katrina evacuees appeared to be overblown.
In addition to the fact that it didn¹t work, the project had multiple flaws.
Chief among DPS¹s concerns was that it was not clear who at Northrop had
access to the data, or what had become of it.

In an e-mail on August 17, 2006, Kent Mawyer, chief of the enforcement
division, wrote to McCraw: ³... with the termination of the project, I will
be notifying NG to confirm delete of all data from affected servers ... to
include any backups and closure of the firewall.²

McCraw responded: ³Please hold off on any deletions until I have an
independent audit conducted to ensure there are no excuses for meeting
operational requirements.²

Rather than go through the state auditor¹s office, McCraw commissioned an
audit of the project by a former colleague from his FBI days. She produced a
five-page evaluation. Under a section on security, the audit read:

Operation of the system has been suspended by DPS primarily for security
reasons. Other than a firewall, the system had no front-end security (no
access control) and it also collected no audit data (nothing to record what
users had done). During its brief operation, the data was available
theoretically to anyone at the DPS IP address who typed in the web address
for the system. NG asserts that security features were eliminated from the
proposal to cut costs; this appears to have been an inappropriate solution
in the absence of alternative security measures.

McCraw says some of the money for the Katrina project was spent on hardware
and software that can still be utilized. He insists that the data DPS gave
Northrop Grumman were eventually returned. Extensive public records requests
have not revealed any documentation to that effect.

Control and security of data would be an issue with Appriss as well. Some of
the difficulty stems from using private vendors to handle sensitive
material. For McCraw, this is the future and the only way to operate. ³What
we are trying to build,² he says, ³is an intelligence capability or
intelligence-sharing capability. Not do it in the old ways, where it takes
four years to roll out, and not do it where the government is going to do
it, where it¹s cost prohibitive, but to do it in a way that leverages the
private sector¹s capability and know-how.²

Fortunately, there are federal guidelines laid out by the FBI¹s Criminal
Justice Information Services Advisory Policy Board. As part of the CJIS
guidelines, before a private vendor can handle sensitive material, its staff
must undergo background and fingerprint checks. CJIS also contains policies
governing the operation of computers, access devices, circuits, hubs,
routers, firewalls, and other components that comprise and support a
network.

According to DPS, as of April 11, Appriss is still not CJIS compliant.
McCraw disputes this. ³DPS is wrong,² he says. ³We¹re more in compliance
with CJIS security requirements than CJIS.²

McCraw knows from experience that larger Texas police departments will not
give their files to a system that is not CJIS compliant for fear of
compromising their data. DPS has heard from the McAllen and Plano police
departments, which have voiced concern over TDEx for this very reason. And
it¹s not unfounded.

As late as October 2006, more than a year after Appriss signed its contract
and after receiving sensitive data from the Texas Rangers and the state
Highway Patrol, Appriss had not given Texas authorities fingerprints or
background checks of all its employees handling the data, according to
e-mails obtained by the Observer. There were also questions about the
security of the company hired to shred documents for Appriss. (McCraw says
all background checks have since been completed.)

In hope of providing some form of monitoring over the Appriss facilities,
Texas DPS authorities began discussions with the Kentucky State Police to
make them a ³supervisory² criminal justice agency for site security. No
agreement was formalized. In a recent interview, McCraw insists that there
are sufficient safeguards and it¹s no longer necessary. ³In today¹s world,
where the warehouse is doesn¹t matter, as long as it¹s in complete
compliance with all the security protocol and ... you have the ability to
audit at any time,² he says.

Others disagree. ³Once that data leaves, you¹ve lost control,² says one law
enforcement official knowledgeable about TDEx who requested anonymity.

One sticking point for DPS was how Appriss would provide a statewide network
to deliver the information that would be sufficiently secure. There was one
available: the FBI¹s Law Enforcement Online network. DPS urged Appriss to
use it. McCraw nixed the idea. ³... my concerns with LEO is simply this: If
it is not funded or there are other FBI priorities as in the past we lose,²
McCraw e-mailed a DPS supervisor from his Blackberry.

Because of these and other issues, the DPS¹s Criminal Law Enforcement
Division decided that despite McCraw¹s objections, it would only provide
TDEx with information on closed cases.

In some ways, TDEx¹s goals are not necessarily bad. The need for law
enforcement agencies to better communicate and share information with each
other has been widely recognized by the 9/11 Commission, among others. But
even if the TDEx system could solve its significant security hurdles and
manage to function as intended, there would still be the issue of its
control by the governor¹s office.

Asked about the dangers involved in allowing a political office to control
such a database, McCraw replies, ³I¹m the only one [from the governor¹s
office] that has access to TDEx, and the reason I have access to it now is
not because I need it, but because I¹m just testing its capability.²

When it was pointed out that Jack Colley, director of the governor¹s
emergency management division, also had access, McCraw backtracked and took
refuge in the idea that no matter who the user, there would be an audit
trail of their searches.

Civil libertarians are not assuaged by this kind of answer. ³Criminal
intelligence data should be in the hands of a professional law enforcement
agency that has distance from the political pressures on elected officials,²
says Rebecca Bernhardt, immigration, border and national security policy
director for the Texas ACLU. ³How can we be sure that we will never have a
governor who will misuse this power?²

Rather than take a serious look at these issues, the Texas Legislature seems
intent on giving Perry even more power. The governor is pushing an
appropriation of $100 million for border and homeland security. Presumably,
some of that money would be used for TDEx. House State Affairs Chairman
David Swinford, a Dumas Republican, is offering House Bill 13, ³relating to
homeland security issues.² The bill is scheduled for hearing on Friday,
April 13. Leading up to the hearing, the bill¹s content was a bit of a
moving target. Two days before the hearing, there already had been two
committee substitutes, with the possibility of a third on the way. The most
recent version had a provision that reads: ³The Department of Public Safety
of the State of Texas shall provide to the State Office of Homeland Security
any criminal intelligence information that the director of the State Office
of Homeland Security determines is relevant to Homeland Security
operations.²

Asked about this provision, McCraw vowed that it would not be in the final
version. ³I¹m sure there are some that think I was conspiring to take over
criminal intelligence,² he says. ³I got enough problems tying my shoelaces;
it¹s not about one agency, it¹s about multiple agencies working as a team.²

Meanwhile, the Perry Alliance Network paid for by Texans for Rick Perry has
been sending out e-mails in support of Swinford¹s bill.