Privacy SOS

Secret Service farms out its internet monitoring to a private British firm

In October 2012 there was a flurry of news articles about the Secret Service's monitoring of the Internet and social media, looking for people making threats against public officials. Now we know a bit more about that program, thanks to a recently published DHS privacy impact assessment.

Federal agencies are required to publish public notices describing how any of their programs collect, retain or share personally identifiable information (PII). One of the latest DHS privacy impact assessment pertains to the Secret Service’s Cyber Awareness Program (“Cyveillance”), which is run by a private firm called QinetiQ, a multinational British war and surveillance contractor. Among the many services Cyveillance provides is an executive threat monitoring program. 

Cyveillance advertises its executive threat program as one that “monitors the Internet to provide advanced warning of company-specific threats including:

  • Organized demonstrations
  • Planned boycotts against products and services
  • Threats against employees, corporate officers, facilities and resources
  • Smear campaigns and dissemination of misinformation
  • Planned activities to interrupt business operations and events
  • Solicitations to conspire against the organization

Demonstrations, boycotts, threats against your officers, employees, and facilities… There’s a big price to pay in terms of compromised reputation, employee safety… and customer trust.

Today’s online threats require an intelligence-led approach to security – an approach that identifies risks early for effective prevention and mitigation. Cyveillance Corporate Security provides the people, process and technology to deliver the most advanced and reliable intelligence on company-specific activities.

Some special features of the program include a “Permanent archive of all incidents delivered” and a “Searchable index of all suspicious data discovered.”

The DHS privacy impact assessment on the Secret Service program is exceptionally short on details regarding just what kind of information the company collects on its behalf, or from where it collects this information. But the agency does disclose that the data sucked up and analyzed via the Cyveillance project includes personally identifiable information. The document also informs us that any public mention of “Secret Service” triggers the system, and that all such mentions are forwarded to government agents to look over. But that’s basically all the substance it provides.

DHS provides a lesson in phoning it in

When the DHS privacy office asked the Secret Service to “identify the information the project collects, uses, disseminates, or maintains,” it got this hilariously useless response: “Cyveillance identifies content that falls within the search parameters dictated by the Agency.” But it doesn't press the agency to describe those search parameters.

Here’s another winner:

“What are the sources of the information and how is the information collected for the project?” 

Get ready to be blown away by the specificity of this response.

“Cyveillance uses technology to identify information related to the Secret Service and its missions in accordance with parameters established by the Agency.”

Wow. It uses “technology”! Who would’ve guessed.

But wait, it gets better.

“Does the project use information from commercial sources or publicly available data? If so, explain why and how this information is used.”

Answer: “Yes.” (That’s the entire answer. Apparently the second part of the question got lost in the mail.)

Since DHS won't tell us squat about how it collects information or what kind of information it collects, here’s a bit more about the Cyveillance program, culled from the contractor's public-facing website:

Real-time alerts of high priority threats provide the lead time required to address security issues before damage occurs. Your solution can also include daily summaries covering all the open source intelligence gathered. This valuable summary highlights top priority items and is delivered into the Cyveillance Intelligence Center portal. 

The Cyveillance portal provides a consolidated, real-time view of your organization’s entire online security status. This online intelligence management center gives you immediate, ongoing access to all your data collected from the Internet. Your cross functional teams can efficiently track and manage each case through easy-to-use dashboards and collaborative workflows.

You get a better grasp of what’s going on and more time to act.

Cyveillance gives its corporate and government customers a better grasp of what’s going on, but the government didn’t give we the people a very good grasp of its internet monitoring program in this typically information-starved privacy impact assessment.

Back in October 2012, the Secret Service told the LA Times, “We cast a wide net for information, and that includes law enforcement agencies, federal agencies and the general public. We’re not an intelligence agency — we’re consumers of information.”

Now we know that the agency is a consumer of information identified and collated by a British multinational surveillance contractor. We don’t know much more, but we know that.

© 2021 ACLU of Massachusetts.