Standard updated for reporting suspicious activity

Changes address recommendations from privacy and civil liberties advocates

The federal government has updated its standard for how law enforcement organizations from different levels of government should report on, and share electronically, observations on activities considered suspicious concerning terrorist activity. Officials say the changes incorporate feedback from police along with privacy and civil liberties advocates.

The new version of the functional standard for suspicious activity reporting (SAR) defines suspicious activity as “observed behavior reasonably indicative of pre-operational planning related to terrorism or other criminal activity,” a change from the previous definition. Civil liberties advocates worried the earlier description of suspicious activity, released in January 2008, was too broad and created possibilities for abuse.

The changes from the Office of the Director of National Intelligence’s Program Manager for the Information Sharing Environment (PM-ISE) come as that office continues a pilot program for the SAR information sharing program at sites around the country. The program uses state and local intelligence fusion centers as a node for verifying and disseminating data on suspicious activity through information technology systems.

John Cohen, a senior adviser to the PM-ISE, said the changes are intended deal with concerns from privacy and civil liberties advocates, as well as state and local law enforcement officials. Cohen said the changes are meant to ensure the SAR process “helps effort to fight crime, but at the same time is protective of both privacy and civil liberties.”

The updated standard, signed May 21, separates behaviors that could be observed as suspicious into two categories: defined criminal activity with a potential link to terrorism, and others that are potentially criminal or non-criminal activity that requires additional support to be considered a SAR. The guidance also says the latter are generally activities protected by the First Amendment that require additional support to be described as SARs.

Defined criminal activity includes attempting to or actually entering restricted areas, cyberattacks or vandalism. Meanwhile, activity that requires additional support to be included as a SAR includes taking pictures or video of facilities in a way that arouses suspicion, having unusual amounts of weapons or explosives or demonstrating unusual interest in buildings or infrastructure.

After a report is determined to be a SAR for the information sharing environment (ISE-SAR) it can then be shared through using IT systems with various agencies that are involved in counterterrorism.

Michael German, national security policy counsel for the American Civil Liberties Union and a former FBI agent, praised the changes. German was one of the civil liberties advocates that met with PM-ISE to provide input for the new version of the functional standard.

German said the key changes included the narrowing of the definition to ensure that the SAR program doesn’t change the rules that police must follow when stopping or questioning people, as well as a reiteration that race or ethnicity can’t be used as a factor for suspicion. In addition, he said the ISE also laid out a two-part review process to determine whether a report meets the ISE-SAR threshold and can be shared through the system.

According to the new guidance, officials at a fusion center or from a federal agency review the reported suspicious activity against the criteria for an ISE-SAR. If the report meets the criteria, then an analyst or law enforcement officer needs to determine if that information has a potential nexus to terrorism before it is classified as an ISE-SAR and then shared accordingly.

German said while he was pleased with the changes, the real test will come on how agencies put in place the new standard and that oversight is required.

“We’re hopeful that the way that that is implemented will ensure that innocent people and innocent activity isn’t being collected and isn’t being put into a shared system,” he said. “The test will be how these policies are implemented and whether other agencies adopt the same standards.”

About the Author

Ben Bain is a reporter for Federal Computer Week.

Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Thu, Jun 4, 2009 John Rosengarten Chicago USA

We must remember that data rules to protect civil rights may be observed during a benign administration might be subsequently misused as a more paranoid administration comes to power. So I do think that any collection of data on people is going to eventually mined to crack down on political opposition. On the other hand, information that can not directly be tied to an investigation today might be critical at a later date, so to not collect data means loss of effective evidence. Balancing these two potential uses of raw log data is the first step in protecting from both external (terrorists) and internal (abusive investigations) risks. To collect all data makes it likely that innocent people will someday be subjected to unwarranted scrutiny. To not collect all data deprives law enforcement the evidence they may need to connect handlers and cells in future incidents. We need checks and balances to manage this data. No one group or agency alone, can ever be trusted with all the data, all the time. I propose we have an agency that can know everything, but can not do anything except determine what information can legally be shared. Also, once shared, the data can not be kept by the investigating agencies. Also, all records not needed to conclude the investigation must be purged. I think we should create a bureau of "Cyber Marshalls" who protect civil liberties and provide needed information to legitimate investigators. Even this would probably fall under the sway of a powerful clique or leader, and more controls might have to be invented.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above