Companies that make data-mining software for local intelligence fusion centers “don’t understand” police are required to observe decades-old federal rules that restrict how certain computer systems containing sensitive information can be used. That conclusion comes from a 25-year veteran of the state police in New Jersey who now works for a company that sells intelligence management products to the law-enforcement community.

Stephen Serrao has visited and worked with several so-called fusion centers, which Congress helped finance after Sept. 11 by making hundreds of millions of dollars in federal homeland security grants available to state and local governments. The idea is for police in your area to better share essential information about possible criminal and terrorist threats with their federal counterparts, poor communication being one of the reasons why the terrorist hijackings were allowed to occur in the first place.

Civil libertarians have repeatedly expressed concern that the centers are stockpiling too much personal data about Americans who haven’t committed a crime in the hope that some piece of it can be “fused” with another to unravel a terrorist plot. Serrao and his colleagues counter that organizations like the ACLU “have no clue” what’s actually being collected and analyzed at fusion centers.

But Serrao in recent months has also written candid articles for security industry media outlets that contained enlightening disclosures while he intended to help fusion centers improve their capabilities. Last year he raised questions about whether the centers had consistently developed clear enough missions for what they wanted to accomplish.

One center, he wrote, spent much of its time handing out driver’s license photos to police who’d requested them because it turned out to be faster than calling the DMV. “So, the center has resources tied up sending out pictures,” he stated, “which leaves little to no resources or time for checking to see if the suspect has any ties to Al-Qaeda. See the problem?”

Centers elsewhere have spent a small fortune constructing facilities with specialized walls, windows and locks so that personnel inside could securely handle top-secret information. “Many fusion centers that will never have to deal with top-secret information have been built to this standard … Most centers are dealing with top secret data less than five percent of the time. We are overbuilding and over-securing these centers at significant cost, and it is causing great inefficiency.”

His latest commentary appeared July 22 on the Security Debrief blog where Serrao described a recent trend among fusion centers to purchase new data-mining tools – one of the very concerns civil libertarians have about the centers. There are multiple data streams available to police that have “separate and distinct laws governing what law enforcement can and cannot do with them.”

To begin with, the tools these vendors are selling may not perform functions that authorities want them to, he wrote, like properly capturing “suspicious activity reports,” another emerging but controversial development at fusion centers.

He goes on to say that many of the companies “don’t understand these systems need to comply with [28 CFR Part 23],” federal standards that govern how police intelligence can be used and shared. The guidelines say that police can’t collect and broadly share intelligence about an individual or group unless reasonable suspicion exists that they are involved in criminal activity. Intelligence here is distinguishable from other police work, such as material generated during the investigation of a crime that’s already been committed.

Consider the difference between a husband investigated for murdering his wife and a large gang suspected of supporting itself by trafficking counterfeit consumer goods. The scope of inquiry can sweep in a greater number of people, and with police power involved, authorities have a responsibility to show that otherwise constitutionally protected Americans deserve to be scrutinized by law enforcement for public safety reasons. Rules controlling this data were conceived years ago following an unsavory legacy of local police intelligence abuses that led to lawsuits and changes in the law.

Which brings us back to data mining, a process that involves much more than finding out if a perpetrator stabbed his beloved to death. Law enforcement officials say the world has become more dangerous since Part 23 first went into effect. Terrorists could be planning attacks in any community across the country, they argue. Technology has made it easier to collect and probe vast amounts of data that could be useful. And with the right information in place to “connect the dots,” police may be able curtail violent crimes before they occur, an extremely popular concept among authorities at the moment known as “intelligence-led policing.”

A fusion center in Massachusetts, for example, uses multiple databases, including two that contain motor vehicle information and insurance claims. The center distributed a pamphlet that says its personnel collect and analyze information “from all available sources to produce and disseminate actionable intelligence to stakeholders for strategic and tactical decision-making in order to disrupt domestic and international terrorism.”

That doesn’t necessarily mean Massachusetts is mining data, but clearly fusion centers have transcended standard witness interviews from everyday burglary investigations. And despite ongoing efforts to improve protections for privacy and civil liberties at the centers, Serrao very lightly suggests that at least when it comes to data mining, it’s possible they’re pursuing new frontiers in law enforcement without fully recognizing the need to respect individual rights:

Agencies want to ensure that they are holding data consistent with all the rules and regulations. If the data-mining technology companies have not considered any of the aforementioned issues, their tools are putting fusion centers at risk of violating statutes, laws and regulations.

Creative Commons License

Republish our articles for free, online or in print, under a Creative Commons license.

G.W. Schulz is a reporter for Reveal, covering security, privacy, technology and criminal justice. Since joining The Center for Investigative Reporting in 2008, he's reported stories for NPR, KQED, Wired.com, The Dallas Morning News, the Chicago Tribune, the San Francisco Chronicle, Mother Jones and more. Prior to that, he wrote for the San Francisco Bay Guardian and was an early contributor to The Chauncey Bailey Project, which won a Tom Renner Award from Investigative Reporters and Editors in 2008. Schulz also has won awards from the California Newspaper Publishers Association and the Society of Professional Journalists’ Northern California Chapter. He graduated from the University of Kansas and is based in Austin, Texas.