Texas Gov. Rick Perry's Dangerous Database
Stay up to date with the latest headlines via email.
Piece by piece, Gov. Rick Perry's homeland security office is gathering massive amounts of information about Texas residents and merging it to create the most exhaustive centralized database in state history. Warehoused far from Texas on servers housed at a private company in Louisville, Kentucky, the Texas Data Exchange -- TDEx to those in the loop -- is designed to be an all-encompassing intelligence database. It is supposed to help catch criminals, ferret out terrorist cells, and allow disparate law enforcement agencies to share information. More than $3.6 million has been spent on the project so far, and it already has tens of millions of records. At least 7,000 users are presently allowed access to this information, and tens of thousands more are anticipated.
What is most striking, and disturbing, about the database is that it is not being run by the states highest law enforcement agency -- the Texas Department of Public Safety. Instead, control of TDEx, and the power to decide who can use it, resides in the governor's office.
That gives Perry, his staff, future governors, and their staffs potential access to a trove of sensitive data on everything from ongoing criminal investigations to police incident reports and even traffic stops. In their zeal to assemble TDEx, Perry and his homeland security director, Steve McCraw, have plunged ahead with minimal oversight from law enforcement agencies, and even DPS is skittish about the direction the project has taken.
In researching TDEx, the Texas Observer reviewed more than a thousand pages of documents from the Office of the Governor, DPS, and the Department of Information Management. We interviewed law enforcement officials as well as McCraw. The narrative that emerged from the records -- disputed by McCraw -- is a headlong pursuit of control through information hoarding for a project in search of a purpose. Along the way, money has been squandered, sensitive data potentially lost, and security warnings unheeded.
If information is power, Perry and his successors are about to become powerful in ways that are scaring civil libertarians, and probably should alarm every Texan.
Texas agencies already have plenty of information on all of us -- driver's licenses, fingerprints, and proofs of address, details we provide every time we renew our licenses, register a car, or vote. Then there's every brush with the law, all the criminal convictions, prison records, and so forth. Much of that information is now scattered about in different agencies and locations. Never has it been pulled together for the ease of access that TDEx promises.
There's also a less discernible realm of information that should perhaps concern the citizens of Texas more. In the course of doing their work, police agencies vacuum up enormous piles of tips, rumors, innuendo, guesses, false reports, and other useless material that they sift through to solve crimes and identify criminals.
Access to this massive trove of information -- files on cases in progress, notes about "persons of interest"who may prove to be of no interest at all, details involving confidential informants -- is closely guarded for good reason. Information worthless for solving a crime might be useful in other contexts. Like politics or personal revenge. The potential for abuse explains why access to existing federal and state crime databases is normally strictly controlled. Over the years -- in the wake of scandals like J. Edgar Hoover's secret FBI files and the increasing privatization of computer databases -- federal regulations have evolved to ensure the safety of information and accountability for its use. Keeping a tight rein on who can access raw investigative data, and for what purposes, is supposed to prevent abuses large and small -- from high officials who might misuse information for political purposes down to small town deputies who might be willing to sell information, or use it to track down an ex-wife's new boyfriend.
The federal rules apply to states that accept federal money and ensure the integrity of law enforcement efforts. Under federal rules, a database like TDEx must be run by a criminal justice agency. According to the FBI and DPS, Texas Homeland Security is not a criminal justice agency.
McCraw, who has an extensive criminal justice background, including a stint as an assistant director of the FBI's Office of Intelligence, has fought a pitched battle with DPS in his zeal to promote TDEx. Repeatedly DPS has raised concerns, chief among them whether the new database is even secure enough to keep unauthorized users from logging on because it lacks "advanced authentication" to ensure that people accessing the database are who they say they are. DPS is also worried that the same user could be logged on to the system multiple times concurrently.
Then there's the problem of getting rid of bad data or faulty intelligence that finds its way into the system. Each agency that gives data to TDEx is responsible for the accuracy of its own information. But where once the mistake of a single police department was its own, TDEx offers the potential to amplify that error statewide.
To identify weaknesses within TDEx, a database manager with the DPS Criminal Law Enforcement Division, at the direction of his boss, easily defeated the security of the user registration process last summer. He did it by employing an accurate and relatively easily obtained agency identification number, and used one of his son's e-mail accounts. In retaliation, Jack Colley, the governor's director of emergency management, revoked the DPS staffer's access to TDEx. After DPS complained, it was reinstated 11 days later.
McCraw says the audit and authentication issues raised by DPS have been resolved. He says that an on-again, off-again Texas Intelligence Council of law enforcement officials will eventually supervise TDEx. McCraw blames DPS reluctance to embrace TDEx on its fear of change. "You are going to see a strong resistance institutionally to move to new things,"he says.
Remarkably, in many ways TDEx seems to be an improvement over Texas Homeland Security's first stab at a database run by a private contractor. On June 27, 2005, the Department of Information Resources, at McCraw's behest, sent out a "request for offer"to vendors that could provide a "Solution for Local, Intra-State, and Inter-State Sharing of Offender and Other Investigative Data."DPS was not consulted in the development of the offer request. The resulting contract given to Kentucky-based Appriss Inc. would initially be worth a little more than $759,000.
The information department, which handle's the state's computer needs, originally was supposed to monitor how well Appriss did the job, but that arrangement quickly ran into a problem. Under federal law -- relevant because federal money was being used -- the contract had to be overseen by a criminal justice agency. So McCraw simply designated the department as one. "I am writing to confirm the Texas Department of Information Resources (DIR) is an agency with law enforcement functions for the purpose of TDEx," he wrote to Larry Olson, the department's chief technology officer.
While TDEx was getting under way, on August 29, 2005, Hurricane Katrina hit New Orleans. As Texas cities filled with Louisiana refugees, panic over the possible arrival of a criminal element from New Orleans seems to have gripped some Texas authorities. McCraw proposed a separate database that would group traffic law enforcement information, DPS criminal law enforcement reporting, the Texas Rangers database, consumer records amassed by a scandal-ridden private data company called ChoicePoint Inc., prison records from Appriss, and criminal information from the Louisiana State Police. (There are differing accounts of whether polygraph information, the inclusion of which if not redacted could have violated state law, was also provided. McCraw says no.) A private vendor was to create a global search capability for all the unstructured data. This new database would then be made available to analysts at the Texas Fusion Center, a crisis management bunker operated by the governor's Division of Emergency Management. McCraw rushed through a contract with Northrop Grumman Corp. for a database project to last until October 2006 at a cost of $1.4 million in federal homeland security funds.
"The Louisiana State Police has informed Texas officials that known criminals are among our evacuee population,"reads a statement of work for Northrop. "Moreover, we have been told that many of the individuals who were involved in heinous crimes at the Superdome are now a part of our evacuee population. There is a critical need to immediately collect and analyze criminal data related to evacuees and provide it to local law enforcement officials throughout Texas. This requires the rapid acquisition of information technology tools.”
McCraw says today that the purpose of the project was to help DPS coordinate its criminal justice information. According to several accounts, DPS officials resisted this "help,"and its Criminal Law Enforcement Division only handed over data -- including open cases still under investigation -- after being ordered to do so.
By the summer of 2006, it was clear that Northrop could not make the project function and that the threat from Katrina evacuees appeared to be overblown. In addition to the fact that it didn't work, the project had multiple flaws. Chief among DPS's concerns was that it was not clear who at Northrop had access to the data, or what had become of it.
In an e-mail on August 17, 2006, Kent Mawyer, chief of the enforcement division, wrote to McCraw: "... with the termination of the project, I will be notifying NG to confirm delete of all data from affected servers ... to include any backups and closure of the firewall.”
McCraw responded: "Please hold off on any deletions until I have an independent audit conducted to ensure there are no excuses for meeting operational requirements.”
Rather than go through the state auditor's office, McCraw commissioned an audit of the project by a former colleague from his FBI days. She produced a five-page evaluation. Under a section on security, the audit read: