In an Aug. 29 report, Department of Homeland Security inspector general John Roth said that in the course of a criminal investigation of two men who helped prospective Customs and Border Patrol employees cheat on polygraph tests, agents gathered sensitive personal information on nearly 5,000 individuals and released it to as many as 30 other federal agencies.
Roth's report said the CPB's initial information gathering was legal.
But when the CPB shared that information with other federal agencies like the CIA, the Secret Service and the Transportation Security Administration that use polygraph tests in their hiring process, it failed to “document its disclosures of sensitive [personal information], password protect sensitive [personal information] in electronic transmissions or obtain consent from the agencies that originated the information to further disseminate it.”
Failing to follow these required procedures, Roth said, violated both the 1974 Privacy Act and DHS policies.
“We believe the manner in which [Customs investigators] shared the sensitive [information] showed a lack of regard for, and may have compromised, these individuals’ privacy,” the report said. “We attribute this to [the agency's] general belief that accomplishing its law enforcement mission takes precedence over its responsibility to protect individuals’ privacy.”
The incident began in 2012, when the CPB began investigating Doug Williams, a former Oklahoma City police polygrapher who had long questioned the reliability of such tests, and his associate, Chad Dixon. The two men provided tips and strategies for job applicants seeking to defeat lie detector tests.
Dixon pleaded guilty in 2013 to “obstruction of an agency proceeding” and was sentenced to eight months in prison. Williams was found guilty at trial in 2015 of of witness tampering, mail fraud and “training people to lie and conceal crimes and other misconduct during polygraph examinations.” He was sentenced to two years in prison.
In the Dixon investigation, Roth's report said the CPB’s Office of Professional Responsibility “collected about 30,000 phone numbers related to potential clients.”
In its investigation of Williams, the CPB's Office of Professional Responsibility “obtained Williams’ customer mailing list,” which contained the names and addresses of “4,904 individuals who, at a minimum, purchased training materials” on how to foil lie detector tests.
Customs officials told Roth’s investigators they collected the information and later expanded it to include Social Security numbers, dates of birth, banking activity and criminal histories “to identify a list of potential witnesses and possible co-defendants.”
Roth’s report said such information gathering doesn’t violate the federal Privacy Act because it was collected as part of the CPB’s “law enforcement investigations” of Dixon and Williams.
The inspector general found that 111 individuals on Williams’ customer list were “current or former employees or applicants for employment” at the CPB.
But also on the list were people who had “no apparent affiliation with the federal government,” and included such diverse professions as “an actor, biochemist, casino dealer, chiropractor, professional golfer, priest and massage therapist.”
Williams' list also contained 102 individuals with foreign mailing addresses and another 64 who were deceased.
Roth’s report said the CPB’s motives for sharing of the information with other government agencies was “questionable,” and that it “shared the information in a manner that did not comply with certain aspects of the Privacy Act and DHS policies and with little regard for individuals’ privacy.”
Roth said that while Privacy Act gives law enforcement officials “wide latitude in sharing,” personal information, it is also “imperative that law enforcement officials not take advantage of their authority and fail to safeguard individuals’ privacy.”
“Ultimately,” the report said, “we may never be able to substantiate the full extent to which the sensitive [personal information] was shared during the investigations, either by CBP [Office of Professional Responsibility] or by agencies who received the information from [it].”
Sean Mildrew, the CPB’s chief accountability officer, while agreeing with the recommendations, said the errors in handling the information were “more attributable to procedural error than institutional indifference.”
Mildrew said the CPB is “keenly aware” that privacy protections must be observed, and has put “new senior leadership” in its Office of Professional Responsibility to “oversee all aspects of the office’s operations, policies, and practices.”