You don’t know MNJAC: Anti-terror fusion center grapples with security flaw, new privacy policy


A post-9/11 intelligence agency created to collect and analyze suspicious activity reports from across Minnesota is operating without an important and widely used safeguard meant to check against inappropriate use of data.

by Dan Haugen
A state law enforcement center set up to collect, analyze and share suspicious activity reports has taken a step toward addressing some of the concerns raised about it by privacy and civil rights advocates. The governing board of the Minnesota Joint Analysis Center (MNJAC) unanimously voted on Monday to approve a new privacy policy for the center, according to Janell Rasmussen, government relations administrator for the Minnesota Bureau of Criminal Apprehension. The policy is unchanged from a draft policy written by a privacy committee that’s been advising the center on these issues, which we reported on earlier this week.

The privacy policy lays out several rules for how the center collects and retains information, much of which is submitted to the center by partnering law enforcement agencies. Among the restrictions: The source of information must be “reliable and verifiable.” (The center recently removed a form on its website that allowed users to anonymously submit terrorism tips.) A case file involving First Amendment protected activities cannot be opened unless there is specific information indicating the individual or organization “has, is about to, or has threatened to” commit a crime. Information must be collected “in a lawful manner,” and must be kept accurate and current.”

Media attorney Mark Anfinson previously told the Minnesota Independent he thinks it’s a strong policy. However, “It’s still just a piece of paper. It’s a pretty good piece of paper at this point. I think it’s well balanced in terms of law enforcement needs and these other concerns, but it doesn’t enforce itself, and so the second part of the equation is still to be solved, which is will the Department of Public Safety and MNJAC follow their policy?”

Most law-enforcement databases are protected with software that automatically keeps a record of every search that’s performed. That way supervisors can easily monitor who is accessing what information.

A records-management system at the Minnesota Joint Analysis Center (MNJAC), however, relies on employees to manually record searches. Data-policy consultant Robert Sykora calls it “an anxiety-provoking flaw” that leaves part of the system open to abuse.

Upgrading to a self-auditing records system is one in a series of recommendations being made by a privacy-policy committee that MNJAC assembled earlier this year. The 10-member committee includes attorneys, law enforcement officials and privacy advocates.

Today, the center’s governing oversight board will consider adopting a privacy policy drafted by the advisory committee.

The draft policy proposes, among other things, that MNJAC accept information only from reliable and verifiable sources, that it refrain from opening cases that involve First Amendment-protected activities unless linked to a specific threat or crime, and that the center regularly purge outdated, inaccurate or otherwise useless data. (Here’s a PDF of the draft privacy policy.)

MNJAC is one of more than 50 “fusion centers” set-up since 9/11 to help local, state and federal law-enforcement agencies share information. Some blame the “siloing” of information for intelligence failures leading up to the attacks — most notably in the case of Zacarias Moussaoui, the would-be 9/11 participant whose unusual behavior at an Eagan, Minnesota flight-training school was not shared by the FBI with other intelligence agencies.

The concept is to serve as a “funnel point” for information, says MNJAC director Mike Bosacker (pictured). The centers collect and analyze reports from various partners in hopes of spotting trends or patterns individual agencies might miss.

The centers were seeded with federal homeland security grants but are run by local and state governments. They initially focused on terrorism only, but most have since expanded their mission to include others crimes and hazards.

While fusion centers vary significantly in size and scope, one constant is the ire they’ve raised among civil liberties and privacy advocates.

“The lack of proper legal limits on the new fusion centers not only threatens to undermine fundamental American values, but also threatens to turn them into wasteful and misdirected bureaucracies that, like our federal security agencies before 9/11, won’t succeed in their ultimate mission of stopping terrorism and other crime,” the American Civil Liberties Union (ACLU) said in a report (PDF) called “What’s Wrong With Fusion Centers,” released in December.

Sykora, a Minnesota ACLU board member as well as member of the MNJAC privacy-policy committee, is chief information officer for the State of Minnesota Board of Public Defense. He’s currently on a leave of absence and working as a consultant for the Minnesota Bureau of Criminal Apprehension (BCA), which oversees MNJAC.

He prefaces his critique of MNJAC by noting all of the employees he’s worked with have struck him as “decent, honest, hard-working people.” That said, however, effective safeguards like automated search logs are designed to monitor the people you don’t know, he says.

The importance of tracking of who’s accessing what information was illustrated in the news earlier this month. A veteran Minneapolis police officer was indicted for allegedly selling information from a nonpublic police database to someone he thought to be gang member for $100. It’s not only money that leads to such abuses, Sykora notes. Sometimes it’s curiosity. Or spite.

“The angry boyfriend or angry girlfriend scenario is so frequently behind abuses of information that it’s almost comical. Someone’s resentful of their ex-partner’s new partner so they check out the new partner, and they shouldn’t use the system for that,” Sykora says.

By law, certain law-enforcement databases that receive federal funding are required to have software that automatically records searches, Sykora says. Most fusion centers, including MNJAC, have voluntarily agreed to follow that law, which is 28 CFR Part 23.

“I think it’s important that MNJAC find a way as fast as it can to build in an automated audit system, both because common sense demands it and the federal standards they’ve agreed to abide by demand it,” Sykora says. “I know they want to do it, but there are funding and time constraints that have made it impossible to date.”

MNJAC launched in May 2005, but it’s only existed in its current form since last June. That’s when it hired Bosacker, a retired captain from the Eden Prairie Police Department, and transferred the center from Minnesota Homeland Security and Emergency Management to BCA’s umbrella. The move allowed MNJAC to be classified as a law-enforcement agency, which relieved it from some of the state’s data laws that were hindering information sharing.

The center has 12 employees, including Bosacker, an operations manager, liason officers and analysts who collect and review reports submitted by 14 participating agencies. They are both metro and outstate police and sheriffs departments, as well as the FBI and a few state agencies. It’s headquartered on Washington Avenue in downtown Minneapolis, on a different floor of the same building that houses the FBI’s local office.

It’s a relatively small fusion center. The number of full-time employees at fusion centers range from three to 250 and average about 27, according to a Congressional Research Service report issued in January. So far, Minnesota’s fusion center has been exclusively paid for by federal grants. Larger fusion centers have been supplemented by state funding, according to Bosacker.

MNJAC’s annual budget is less than $1 million. It won a $1 million federal grant in 2005 that also covered start-up costs. In 2006 it received $800,000, and in 2007 it was awarded $1.8 million, which is expected to cover the center’s expenses through about spring 2010.

“No decisions have been made in regards to any legislative work at this time,” Bosacker says. “It’s a little early for us to be looking at dollars. It’s up to our oversight group to decide what that agenda might be.”

A memorandum of understanding signed by the partnering agencies outlines the regular responsibilities of the center. They include producing two weekly bulletins, one for law enforcement only and another for other government and private sector partners. Earlier this year, for example, it produced a summary of copper theft trends to share with local investigators and others affected.

MNJAC’s primary responsibility is working with the FBI to maintain a web-based data-sharing system called ICEFISHX. It’s a folksy acronym for Intelligence Communications Enterprise for Information Sharing and Exchange. It’s the system that allows law enforcement agencies to upload information.

“Generally, what we’re looking for is a police report, because we want to have that report vetted through a local law enforcement agency,” Bosacker says.

Bosacker says the center does not solicit or mine random data. The type of information going into ICEFISHX is the same as what’s collected by traditional law enforcement agencies, he adds. Almost anything an officer does generates paperwork. The only difference is that in the past, many of those records would have sat in a drawer or on a computer drive, inaccessible to others. MNJAC is gathering those pieces and reviewing them to see if they might fit with a larger puzzle.

That’s a fundamental change for law enforcement, though, points out Chuck Samuelson, director of the Minnesota ACLU. And it’s a change that doesn’t sit well with him.

“I have a visceral problem with government being in the data collection business without more of a focus,” Samuelson says.

The role of police in this country has traditionally focused on solving crimes, Samuelson notes. In his view, MNJAC turns that equation upside down: Instead of investigating crimes that have already happened, it’s investigating crimes that haven’t happened yet.

“When you get in the crime-prevention business rather than the crime-solving business, it gets real fuzzy,” he notes. “Let’s not go down that road unless you can demonstrate that this is going to make us markedly safer.”

It’s the same argument made by the ACLU report: There is scant evidence fusion centers will make us safer but plenty to suggest they’ll impede on rights.

The privacy committee was created by MNJAC to recommend policies for collecting data in a way that respects civil liberties and privacy expectations.

“I want to make sure we’re operating in a way that’s sustainable, because I think this is real important,” Bosacker says. “This is important for the state and the citizens, and I want to do it in a way that we can keep operating.”

Samuelson reluctantly served on the committee, but says his main question — should we have a fusion center in the first place? — wasn’t part of its scope.

“You’re not going to get an endorsement from me for this,” Samuelson declares. “The privacy policy, if you just view it alone, is just fine. And this is not the worst fusion center model that exists in the country. I’m feeling almost like Harry Truman. I’m from Missouri. Show me. Why would I want this?”

Others who served on the committee were more positive about its impact.

“I went into it with some skepticism,” says Mark Anfinson, a prominent Twin Cities media attorney. “There’s often a propensity in government to co-opt one’s potential opponents and adversaries, and it’s a good strategy. By bringing your opponents and adversaries into a process, you can mute their possible future criticism of what you’re doing. I was thinking that might be what was going on, but I concluded it was not at all the case.”

The privacy committee appeared to be a sincere attempt by MNJAC officials to educate themselves about the concerns being raised, Anfinson says. And the result is a privacy policy that, if the board approves it, is a good step toward addressing the concerns.

“It’s still just a piece of paper,” Anfinson cautions. “It’s a pretty good piece of paper at this point. I think it’s well balanced in terms of law enforcement needs and these other concerns, but it doesn’t enforce itself, and so the second part of the equation is still to be solved, which is will the Department of Public Safety and MNJAC follow their policy?… But I’m optimistic based on my observations during the committee process that it will be observed and respected.”

Sykora says one of his two main issues has already been addressed. Until recently, anyone could anonymously submit suspicious activity reports through the center’s website. After Sykora brought his concerns to Bosacker, the site was changed to allow only vetted, approved sources to upload information.

“We’ve already made what I consider a pretty significant step toward avoiding abuses,” Sykora says.

“There’s constant tension between civil liberties and effective law enforcement. As you’re trying to find that balance between going too far one way and going too far the other way, there are just a thousand little discussions you have to have about how best to tune it, to keep it as something that can preserve safety without ruining civil liberties.”