In a hearing convened last week by the House of Representatives, members of the Subcommittee on National Security and the Subcommittee on Government Operations discussed how social media would be incorporated into federal background checks.
Chairman Meadows began the hearing by saying that times have changed since the 1950s when the sole source of assessing one’s character was interviews with friends and family, and that now social media is available to provide a mostly self-published looking glass into who a person is. The hearing came immediately on the heels of an announcement from the Director of National Intelligence James Clapper, who issued a directive stating that social media would officially be a component in evaluating federal employees for security clearances.
According to the directive, the government will only view postings that the applicant made public, and will not require that applicants provide their passwords or information from private accounts. The policy also vowed not to store any applicant information on government servers that did not directly pertain to their security clearance investigation. The directive should be applauded for maintaining the privacy rights of federal employees in regards to their social media, but implementation of the policy must be monitored to ensure it has proper oversight and is not broadened to include private accounts.
Government background checks are intended to assess an individual’s trustworthiness in handling information that would be detrimental to national security if released. The handling of security clearances was reassigned to a newly created entity within the Office of Personnel Management, the National Background Investigations Bureau (NBIB), in the aftermath of the OPM database being hacked twice in 2015. In the breaches, 22 million federal employees and contractors had their personal information accessed by the Chinese government, which was able to obtain personnel files that would have included information from security clearance investigations on criminal history, alcohol and drug use, and mental health counseling. Due to the sensitivity of the information being stored and its history of being stolen, elected officials want to be involved in crafting the policies of the NBIB.
Two senators, Claire McCaskill and Jon Tester, have raised questions as to how the newly constructed NBIB will be held accountable. The senators sent a list of seven questions to OPM Director Beth Cobert. The list sought explanations as to which inspector general would be involved in oversight and how the OPM intends to transition to a screening program that relies heavily on IT. It will be important to monitor developments in the establishment of the oversight mechanism, as the NBIB will be entering uncharted waters with its ability to include social media accounts like Twitter, Facebook and Instagram in its investigations.
While the policy should be lauded as a victory for proponents of privacy, there are a number of questions that are still left unanswered and a number of concerns unaddressed.
First, multiple agencies have already initiated pilot programs to try and determine whether or not scanning social media is a worthwhile effort, as it is costly (ranges between 100 and 500 dollars to screen one applicant) and requires training personnel. Representatives of the Obama administration have suggested using an automated system that screens for keywords to reduce cost. However, automated systems pose the risk of collecting data indiscriminately, which contradicts the promises of the policy.
One skeptic is Virginia Representative Gerry Connolly, who questioned how relevant information would be extracted from “trivia” and expressed fears that the policy would lead to the bulk collection of data. Uneasiness like the kind expressed by Representative Connolly’s is furthered when looking at the comments that have been made by the current transition leader of the NBIB, James Onusko.
Onusko is reported to have described the automated system that scans social media as having the capabilities to “understand the behavioral components of previous leakers” and to then “build a predictive model off those components”, which is a troubling statement because of its ambiguity. For example, if NSA leaker Edward Snowden had “liked” the Electronic Frontier Foundation on Facebook (which is possible, he has an EFF sticker on his personal laptop), it is not clear whether that action would then be considered a behavioral component used to identify potential leakers. Civil rights organizations will have to watch carefully to make sure that privacy safeguards are not cast aside in order to minimize costs and will have to insist on answers as to how the predictive model was created.
Second, some lawmakers are pushing to take the policy further. For example, Chairman Meadows wants the policy expanded to include required searches for applicant aliases and alternative identities. Meadows instructed the Director of National Counterintelligence and Security Center William Evanina to look into revising the policy to include this provision. The policy is still being developed, and that leaves a window for some of the privacy measures to be undone.
At present, the directive aligns with the Local Civil Liberties Protection Act of the BORDC/DDF and makes a clear effort to balance privacy rights and national security. It is important that revisions in the law stay true to this balance and that we remain watchful that the policy is not manipulated to use social media in a way that is unfair to federal employees.