Report challenges MIAC’s information collection, retention and auditing practices



Due to its privacy and First Amendment information retention practices, the Maine Information and Analysis Center (MIAC), housed within the Maine State Police Department, has already is the subject of controversy. While two privacy audits conducted last year by MIAC’s advisory board claim the center has addressed these practices, a report released by a group of privacy and criminology experts challenges their findings.

The center is part of a nationwide network of so-called “fusion centers” that sprung up in the aftermath of the September 11 terrorist attacks to facilitate information sharing between law enforcement at the state and federal.

The center partners with the Maine State Police, Maine Emergency Management Agency, Department of Homeland Security, Federal Bureau of Investigation, U.S. Border Patrol, Franklin County Sheriff’s Offices and Kennebec, the Maine Army National Guard, the Department of Justice’s National Drug Intelligence Center, the Maine Secretary of State, and the Maine Department of Corrections.

It was created by executive order in 2006 by then-Governor John Baldacci. According to the executive order, MIAC is responsible for prioritizing and analyzing relevant homeland security information, coordinating interagency participation, receiving and sharing intelligence, and making recommendations to the governor and the Homeland Security Advisory Council. of State.

The order also directs MIAC to “comply with all existing rules and laws relating to the handling of sensitive information,” including the rules set forth in the federal code of regulations.

MIAC’s own Privacy Policy, effective March 20, 2019, contains more specific rules on how it should protect individual interests, including privacy, civil rights, and civil liberties when acquiring and information analysis.

The center is only supposed to seek, preserve and share information based on a “criminal predicate or possible threat to public safety”, is “based on a reasonable suspicion that an identifiable individual or organization has committed a criminal offense or is involved in or planning criminal conduct or activity”, is “relevant to the investigation and prosecution of suspected criminal incidents”, or is “useful in crime analysis or in the administration of criminal justice and public security “.

This information must also be collected from a reliable and verifiable source and collected fairly and lawfully. According to its privacy policy, MIAC is also required to purge criminal intelligence information, unless it is “reviewed and validated,” at least every five years.

But leaked records in 2020 and allegations from whistleblowers suggest MIAC hasn’t always upheld those policies.

George Loder, then a Maine State Trooper, accused MIAC in May 2020 of violating its privacy laws and retaining and sharing the personal information of individuals not suspected of a crime. According to a court case filed by Loder against MIAC, when he was on temporary assignment with MIAC while serving on the FBI’s Joint Terrorism Task Force, he learned that MIAC uses minor offenses as a pretext. to conduct background checks, monitor the social media accounts of people who have participated in lawful protests, and retain this data despite the lack of evidence of criminal acts.

As part of the lawsuit, Loder said he learned that MIAC stores information collected by automatic license plate recognition systems and shared by law enforcement in other states, and logs information collected by Maine State Police as part of background checks conducted on legitimate firearm owners. .

Loder claimed he was demoted in retaliation for raising concerns about these practices with various other law enforcement agencies in MIAC’s intelligence network. Loder’s lawsuit also claimed the agency violated the Federal Privacy Act of 1974, which governs how federal agencies can collect, maintain, use and disseminate information in managed databases. by the federal government.

The officers against whom Loder’s complaints were directed claimed they were entitled to qualified immunity on charges of violating the Privacy Act. A federal judge in the U.S. District Court in Maine dismissed the case in March 2021, ruling in part that Loder lacked standing on the grounds that the privacy law does not apply to public officials. of State. The judge also ruled that the officers were entitled to qualified immunity.

Although the substance of Loder’s accusations were never addressed, a 2020 database breach that was later published on Blueleaks, a website associated with “hacktivist” group Anonymous, produced documents that backed up some of Loder’s claims, including those related to license plate readers and surveillance of protected First Amendment activities.

The controversy led lawmakers to debate LD 1278, a bill that would have shut down MIAC. The House of Representatives voted on June 15, 2021 to insist on its vote to move the bill forward, but the Senate voted the same day to insist on its vote to accept that the majority should not adopt the committee’s report criminal justice and public safety. The disagreement between the chambers resulted in the death of the bill.

The legislature passed LD 12, which requires MIAC to submit an annual legislative report documenting the “types of cases, crimes, incidents, and reports that the center has reviewed and evaluated in a manner that protects the privacy and integrity of the work of the center.” The law, signed on June 11, 2021, also requires the report to include a privacy audit with anonymized information.

MIAC’s annual report for 2021 is just five pages long and contains data on the number of information-sharing requests the center received, as well as the number of entries it made into various force databases. of the order.

Similarly, its confidentiality audit contains copies of questionnaires completed by individual auditors who reviewed MIAC’s records. The audit is conducted by the Director of MIAC, the Chief Compliance Officer of MIAC, the Chief Privacy, Civil Liberties and Civil Rights Officer of MIAC, the Public Member of the MIAC Advisory Board, and a member of the council chosen by its president. The audit includes a review of 10 randomly selected files and 10 files selected by each of the board members.

The audit also includes flagged issues for further discussion with the Center’s Advisory Board.

In the most recent audit, covering the period between August 1, 2021 and December 31, 2021, the audit found “no evidence of MIAC’s non-compliance” with its privacy policy. .

However, the audit also flagged several issues regarding the monitoring of First Amendment activities as topics requiring further discussion, including whether threats or hate speech are protected speech, a topic that was flagged during the audit. audit covering the period between January 1, 2021 and July 31. 2021.

The audit also suggested that the advisory board should discuss further the possibility of First Amendment-protected protests occurring “on the private property of a public employee.”

With few exceptions, hateful and threatening speech is widely recognized as constitutionally protected speech. These issues, along with documented issues with retention of information directly related to criminal activity, have led some to question whether MIAC’s privacy practices are as flawless as the report claims.

This includes the authors of a “shadow report” published on April 1, 2022, which addresses deficiencies in the MIAC audit process. The report’s authors include a social worker, a privacy advocate, a monitoring and evaluation professional, a criminology professor at the University of Southern Maine, and a Maine law student.

The group called MIAC’s oversight “flawed” and said its advisory board, which is exempt from state public records laws, “is made up of individuals who largely have no accounts. to be released to the general public or who lack the expertise to provide meaningful oversight.”

Given what BlueLeaks revealed about MIAC’s inability to properly dispose of information, particularly when it relates to protected First Amendment activities, the report also raises concerns about the thoroughness of the audit process.

“The advisory board vets a random selection of documents and as such avoids reviewing many documents that pose the greatest risk to privacy and other civil liberties,” the report said.