Boston’s Fusion Center Gives Itself an A+ on “Privacy and Civil Liberties”


Ten months ago, Digital Fourth submitted a public records request to Boston’s fusion center, the Boston Regional Intelligence Center. It took two appeals to the Secretary of State to get it, but we finally got a response.

The states operate a network of 78 fusion centers across the nation, which coordinate intelligence-related information between federal agencies and state and local law enforcement, in the name of thwarting terrorist attacks. They have never, to anyone’s knowledge, actually thwarted one, and they have become bywords in Washington for waste and ineffectiveness. Previously, we reported on constitutional violations and the results of a FOIA request at Massachusetts’ “Commonwealth Fusion Center”, operated by the State Police; now it’s the turn of Massachusetts’ other fusion center, headquartered at the Boston PD.

The most interesting document we received is the “2013 Fusion Center Assessment Individual Report: Boston Regional Intelligence Center”. This report was heavily redacted, but luckily the State of Colorado has posted on its website an unredacted 2014 report from Colorado’s fusion center that is absolutely identical in format to the Boston report we received, rendering all of the redactions in the Boston report moot. So if you’d like to understand what the BRIC didn’t want us to see, read on.

It appears that these reports are part of a nationwide process covering all fusion centers. They are developed from responses to an online questionnaire, provided by fusion center directors. The reports say that “DHS and its federal partners validated this data by conducting thorough reviews of the submissions to ensure consistency and minimize data discrepancies”, but that only describes a data cleanup process; they do not say that DHS or any other party assesses whether the self-reports by the fusion center directors are actually true. The purposes of the reports are described as to “strengthen capabilities”, “mitigate capability gaps”, and “support investment requests”. In other words, they exist to serve the Bureaucratic Terrorism Imperative: They are not an assessment of whether the capabilities of the fusion centers are appropriate as they stand, or of whether they are spending our money appropriately, but are to be used only in the service of increasing fusion centers’ powers and budgets.

The first thing we discover is that the Boston Regional Intelligence Center has 43 full-time employees and 10 part-time employees. It is over twice the size of the Colorado Information Analysis Center, which has 20 full-time employees and five part-time employees covering the whole state (the BRIC is one of two fusion centers in Massachusetts).

The fusion center directors rate their centers against the “Critical Operational Capabilities” of “Receive”, “Analyze”, “Disseminate” and “Gather” (20 points each) and four “Enabling Capabilities” (5 points each) of “Privacy, Civil Rights and Civil Liberties Protections”, “Sustainment Strategy”, “Communications” and “Security”. This allows a fusion center utterly failing to observe the Constitution to score 95 out of 100.

The Colorado center openly gives itself perfect scores on each of these ratings. The Boston center redacts its own performance on all COCs and ECs, except for its perfect scores on Privacy, Civil Rights and Civil Liberties and on Security. However, cross-referencing with the Colorado report enables us to determine that the BRIC, like the CIAC, has given itself perfect ratings on everything. How do we know? Take a look:


You see the cylinder off to the right, titled “Number of Attributes Achieved”? The redacted two lines below it are made clear by the Colorado report, which offers this equivalent:


In other words, an all-dark cylinder signifies a perfect rating; and all of the cylinders in the Boston report are all-dark.

Cross-referencing again, we find that the Boston Regional Intelligence Center’s perfect rating for Privacy, Civil Rights and Civil Liberties actually signifies the following:

1. Fusion center has a P/CRCL policy determined by DHS to be at least as comprehensive as the Information Sharing Environment (ISE) Privacy Guidelines.
2. Fusion center provides formal and standardized training to all personnel on the fusion center’s P/CRCL policy and protections annually.
3. Fusion center’s policies, processes, and mechanisms for receiving, cataloging, and retaining information (provided to the center) comply with 28 Code of Federal Regulations (CFR) Part 23 when appropriate.
4. Fusion center trains all personnel who access criminal intelligence systems in 28 CFR Part 23.
5. Fusion center has identified a P/CRCL Officer.
6. Fusion center has a P/CRCL outreach plan.

It should be noted here that the ISE Privacy Guidelines do not require agencies to have any process whereby the public may access or correct incorrect information the fusion centers hold about them. The most they say is that “Agency policies should address issues such as (1) whether information will include notice of known limitations related to the collection, and (2) how confirmed misidentifications will be purged from the system.” As our prior reporting has indicated, there seems to be no process whatsoever whereby any external party, whether DHS or anyone else, reviews the accuracy of the information held by fusion centers.

28 CFR Part 23 is important from a Fourth Amendment perspective because it explicitly limits the information that can be held by the fusion center:

§ 23.20 Operating principles.
(a) A project shall collect and maintain criminal intelligence information concerning an individual only if there is reasonable suspicion that the individual is involved in criminal conduct or activity and the information is relevant to that criminal conduct or activity.

(b) A project shall not collect or maintain criminal intelligence information about the political, religious or social views, associations, or activities of any individual or any group, association, corporation, business, partnership, or other organization unless such information directly relates to criminal conduct or activity and there is reasonable suspicion that the subject of the information is or may be involved in criminal conduct or activity.

(c) Reasonable Suspicion or Criminal Predicate is established when information exists which establishes sufficient facts to give a trained law enforcement or criminal investigative agency officer, investigator, or employee a basis to believe that there is a reasonable possibility that an individual or organization is involved in a definable criminal activity or enterprise. In an interjurisdictional intelligence system, the project is responsible for establishing the existence of reasonable suspicion of criminal activity either through examination of supporting information submitted by a participating agency or by delegation of this responsibility to a properly trained participating agency which is subject to routine inspection and audit procedures established by the project.

There are several problems here. First, “reasonable suspicion” – language derived from the constitutional test in Terry v. Ohio – is meant to relate only to individuals who are about to commit, are committing, or have just committed a crime. General “involvement” in a “definable criminal enterprise” can easily degenerate into “wearing the wrong color of clothing” or “hanging out on the wrong street corner”. The proper test to apply is “probable cause”, not “reasonable suspicion”.

Second, the very nature of the databases that fusion centers keep on “suspicious activity” necessarily mean that they are keeping information on people who are not suspected of any actually unlawful activity, because “suspicious activity” is defined as activity that is not criminal or unlawful in itself but that may point towards the possibility of such acts being committed in the future. So, no fusion center that keeps a Suspicious Activity Report database – and they all appear to do so – should ever rate itself as being in compliance with 28 CFR Part 23.

Third, the question of who has responsibility for the accuracy of the data in the databases is a very important one, which 28 CFR 23.20 intentionally leaves vague. Either the agency has to examine the data, or it simply has to trust the information provided to it by another agency. Fusion centers generally, it appears, choose to abdicate any responsibility for the accuracy of the data they hold by using the second of these options by default.

We learn from the full marks BRIC gives itself for “Sustainment Strategy” (again, cross-referencing with the unredacted Colorado report) that the BRIC must have, along with its outreach plan, an “approved strategic plan”, an “annual financial audit”, an “annual operational cost assessment”, and must “measure its performance to determine the effectiveness of its operations relative to expectations it or its governing entity has defined.” All of these documents would be interesting, but we would be especially interested in the last of these, and the metrics by which it measures its own effectiveness.

It seems pretty rare – given the very high average ratings across all fusion centers for all COCs and ECs – for fusion centers to rate themselves as being anything less than awesome in all respects. We understand that the full marks that BRIC and CIAC have given themselves is partly a function of the inadequacy of the criteria themselves. Whether or not you have  a policy on civil liberties is not going to address whether or not what you are doing inherently violates civil liberties. But on the bright side, their approach does give us a new theme song for the BRIC, the CIAC, and for other fusion centers across the nation:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.