Governor Rick Perry's homeland security office is supervising the maintenance of a giant illegal database containing "tens of millions" of records constituting a massive intelligence gathering operation targeting the citizens of Texas.
The Texas Observer this week revealed the existence of the database and several alarming facts surrounding its creation, maintenance, and accessibility.
First and foremost, the premise on which the Department of Homeland Security and the state's Department of Information Management base their to create and maintain the database (called the Texas Data Exchange, TDEx for short) is tenuous at best and most likely fundamentally illegal.
Under federal rules, a database like TDEx must be run by a criminal justice agancy. The Texas Homeland Security Department is not classified as a criminal justice agency by either the FBI or the Texas Department of Public Safety.
In order to get past this requirement, Steve McCraw, the Perry administration head of the Department of Information Management—an agency that is only supposed to handle the state's computer needs—simply declared that his department was in fact a criminal justice agency. No legislation was passed, no state regulation was changed: McCraw simply made it so:
The information department, which handle’s the state’s computer needs, originally was supposed to monitor how well Appriss did the job, but that arrangement quickly ran into a problem. Under federal law—relevant because federal money was being used—the contract had to be overseen by a criminal justice agency. So McCraw simply designated the department as one. "I am writing to confirm the Texas Department of Information Resources (DIR) is an agency with law enforcement functions for the purpose of TDEx," he wrote to Larry Olson, the department’s chief technology officer.
Changing agency functions beyond the scope of what is authorized by the Texas Legislature isn't the only problem here.
The database itself isn't even maintained in Texas and is handled by a private contractor. And, instead of being under the control of the Texas Department of Public Safety, the state's top law enforcement agency, the database and the authority to designate its users resides in the Governor's office, through his Homeland Security Division:
That gives Perry, his staff, future governors, and their staffs potential access to a trove of sensitive data on everything from ongoing criminal investigations to police incident reports and even traffic stops. In their zeal to assemble TDEx, Perry and his homeland security director, Steve McCraw, have plunged ahead with minimal oversight from law enforcement agencies, and even DPS is skittish about the direction the project has taken.
This breeds the potential for government corruption not seen since the administration of Richard Milhouse Nixon: enemies lists and the like all come flooding to mind.
And, security of the system is a problem. This is from an evaluation of the system the Observer obtained:
Operation of the system has been suspended by DPS primarily for security reasons. Other than a firewall, the system had no front-end security (no access control) and it also collected no audit data (nothing to record what users had done). During its brief operation, the data was available theoretically to anyone at the DPS IP address who typed in the web address for the system. NG asserts that security features were eliminated from the proposal to cut costs; this appears to have been an inappropriate solution in the absence of alternative security measures.
And, subcontractors like Appriss haven't helped security measures any. In fact, Texas officials tried to make the Kentucky State Police a supervisory agency over the database, since it is housed in Kentucky:
In hope of providing some form of monitoring over the Appriss facilities, Texas DPS authorities began discussions with the Kentucky State Police to make them a "supervisory" criminal justice agency for site security. No agreement was formalized. In a recent interview, McCraw insists that there are sufficient safeguards and it’s no longer necessary. "In today’s world, where the warehouse is doesn’t matter, as long as it’s in complete compliance with all the security protocol and ... you have the ability to audit at any time," he says.
The bottom line with all of this is that, once again, Governor Perry's administration has acted outside the law, attempted to be above the law, and with little oversight and no control whatsoever.
(X-Posted From Capitol Annex