Privacy SOS

Corporate data management for law enforcement and confidential informants

Yesterday I wrote a quick blog about the data-mining and electronic systems management firm NTREPID, which produced a strange document purporting to show the network of power connecting "anarchists" in the United States. The most powerful image associated with that product was the following, which purports to lay out the connections between supposedly "anarchist" activists and organizations, including PBS, Citizen Radio and Occupy Oakland. 

If you click on the image to enlarge it, you'll be able to read the key in the top left hand corner, which provides identifiers for the various nodes on the graph. 

One of those nodes, the light blue one, represents "FBI Informants". In yesterday's blog post I wondered aloud how NTREPID might have access to the identities of FBI confidential informants. Those identities and their targets are closely guarded secrets of intelligence and law enforcement organizations, for good reason, so it struck me as odd that a private company had access to all of that information.

Today an independent researcher who goes by @1000Burners on Twitter alerted my attention to a document that might provide an answer to this worrying question. 

A State of Michigan work contract laying out the new terms of a nearly $4 million deal with the Memex Corporation (a division of the British data processing giant SAS) describes an add-on to Memex's Patriarch system, a data management program that helps "fusion centers" and organizations like the FBI manage and search large amounts of data on targets and suspects. The product sounds like a Google for the government spy world.

A Signal Online article describes Memex Patriarch:

[I]t is an operational intelligence management system that enables the secure input, management, development, analysis and information sharing of critical data across organizations and among their partners. The system allows agencies to manage and retrieve intelligence that helps prevent all types of crimes, and it enables law enforcement to predict, prevent and respond efficiently to threats in real time.

The Patriarch system is also operational at the following law enforcement agencies (this is not at all an exhaustive list):

Bedfordshire, Surrey and British Transport police departments [UK]; the Delaware, Michigan, New Hampshire and Pennsylvania state police; Kansas City Terrorism Early Warning Group; Northeast Ohio Regional Fusion Center; Los Angeles and Philadelphia police departments; Central California Intelligence Center; Belize Police Department; Albania State Police; and the U.N. Office on Drugs and Crime.

The particularly interesting add-on that the state of Michigan was offered for its program is described as follows (look here, page 154):

The Confidential Informant Tracking System Database (CIDB) should be able to document and manage information regarding the registering, documenting reliability, recording informant payments, and supervising of confidential informants.  Currently all Confidential Informants used by MSP are required to be properly documented as to their activities and who is responsible for them while being utilized by the department. Currently there is no statewide capability to document and track confidential informants between jurisdictions.  The lack of this capability has the potential to put at risk the investigators who rely on informants to conduct many types of covert operations.  The CIDB is an optional solution. 
We know the FBI has contracts with Memex to operate suspicious activity reporting through its eGuardian program. If the FBI is also using the Patriarch system to manage its confidential informants, at least one company in the private sector has access to the names, connections and identifying information of those people. But how would NTREPID get access to that data so that it could fill in its "anarchist threat model" sales sheet?
Is it possible that agencies deploying the NTREPID "Tartan Metrics" software have granted that company access to their confidential informant information, as some appear to have done with the Patriarch system?
Divulging this extremely sensitive information to contractors raises a number of security and privacy concerns, not least of which is the application of informant information to the kinds of "threat model" graphing projects depicted above. 
There are nearly five million people in the US with security clearance. A large number of those people work for private corporations, not for the government. Do they know too much?

© 2021 ACLU of Massachusetts.