Section 1: Description of the Information System
The Guardian Program, managed by the Federal Bureau of Investigation (FBI), Counterterrorism Division (CTD), Guardian Management Unit (GMU), provides a proven methodology for reporting, sharing, tracking, and mitigating a large volume of counterterrorism-based incidents. The Guardian Program encompasses two systems, the classified Guardian Threat Tracking System (Guardian), which resides on FBINET, and an unclassified companion, the eGuardian system, which is available and utilized in the daily operations of state, local, tribal, territorial, and federal law enforcement partners as well as the national fusion center network. The Guardian and eGuardian systems, even though they reside on different classification networks, have a bi-directional communication ability that facilitates sharing, reporting, collaboration, and deconfliction among all law enforcement agencies.
The FBI has expanded the best practice of addressing counterterrorism threats, utilizing the Guardian system, to other national threat program areas. The FBI will leverage existing technology and existing law enforcement partnerships to address not only counterterrorism threats, but also cyber and criminal threats and suspicious activities, with minimal cost, minimal expenditure of resources, and minimal time needed to place the technology and business process into operation.
By providing a common platform to law enforcement for the reporting and sharing of the threats delineated above, the FBI will be able to provide a universal reporting system for all law enforcement, while concurrently eliminating the jurisdictional and bureaucratic impediments to sharing information which results in degradation of our national security posture.
This Privacy Impact Assessment (PIA) amends the previous eGuardian PIA, dated November 25, 2008, and specifically examines the eGuardian system as it accounts for privacy concerns while creating an environment that will continue to address the need to share suspicious activity and threat information as mandated by the National Security Presidential Directives.
The eGuardian system’s primary purpose is to facilitate the reporting, tracking, and management of threats to determine whether a particular matter should be closed or opened as a predicated investigation. The eGuardian system also facilitates pattern and trend analysis of Suspicious Activity Reports (SARs) information. The original eGuardian system was designed in consultation with legal, privacy, and security personnel in the Department of Justice (DOJ) and elsewhere to ensure that privacy protections and security controls were integrated into system development and to the eGuardian system’s functionality.
(b) How the System Operates
The FBI is authorized to investigate violations of a wide variety of federal criminal statutes to include the increased cyber intrusion threats and to foster collaboration for fraud activities related to computers that was originally passed in 1984 with numerous amendments. Several states have criminal statutes that are comparable to federal criminal statutes, which require extensive collaboration, coordination, and deconfliction. The eGuardian system is a platform that will contribute to the enhancement of these efforts by allowing the electronic sharing and reporting of appropriate federal criminal matters, including cyber criminal matters. The utilization of the eGuardian system will augment or replace existing mechanisms for referring such matters in an ad hoc manner that varies all across the country. The eGuardian system will facilitate the type of information sharing envisioned in the National Strategy for Information Sharing.
The eGuardian system is first and foremost an incident reporting system that standardizes existing reporting types. An incident is an occurrence or reporting of a suspicious activity, threat or event relating to terrorism, cyber or criminal activity. Incidents will be placed into the eGuardian system to assist in assessing information related to national security or other federal crimes. In addition, the information derived from the incidents that are placed in the eGuardian system may show links, relationships, and matches among data elements, which will provide the opportunity for analysis and interpretation. The use of the tools in the eGuardian system will enable analysts, officers, detectives, agents, other law enforcement investigators, and law enforcement support personnel to develop leads and identify potential suspects more quickly. Once vetted by an accepted and trained approver, this information will be shared with law enforcement at all levels in order to more effectively identify and track threats and threat patterns and take actions to mitigate such threats.
The eGuardian system will be used to record, review, sort, and prioritize these incidents and present the information to law enforcement partners, who will access the eGuardian system through the Law Enforcement Online (LEO) Enterprise portal. Information that meets the requirements to be shared will be entered into a shared environment, referred to as the Shared Data Repository (SDR). All law enforcement agencies will have the ability to read and add value to incidents in the SDR. For information marked as “Reported,” only the contributing law enforcement agency (the submitting eGuardian partner agency and/or Fusion Center) will have the ability to search, read, and enter the incident(s) into the eGuardian system. Contributing law enforcement agencies can remove their incidents at anytime from the eGuardian system regardless if they are marked “Shared” or “Reported.”1 All eGuardian system users who have the ability to mark an incident as “Shared,” thereby placing the incident report in the SDR, will be required to take an SAR Analyst course. The SAR Analyst course is designed to teach attendees the appropriate standards for “Sharing” and “Reporting” which includes vetting processes, privacy, civil rights and civil liberties protections. All eGuardian system users will be able to add notes to eGuardian incidents to update and clarify the collected information. This process is further explained in detail below.
The eGuardian system is not intended as a permanent data repository. As a result, determinations about the eGuardian collected information will be made promptly so that the data can move quickly through the review process. All federal, state, local, tribal and territorial (SLTT) law enforcement agencies with missions that pertain to homeland security will be encouraged to report and share threat information into the eGuardian system for review and approval by a Fusion Center (FC). Fusion Centers are becoming focal points for information sharing and will function as an additional layer of review to confirm that an incident warrants being entered into the eGuardian system. With the proper training of personnel who perform eGuardian system management and analytical functions (as discussed elsewhere in this assessment), the use of Fusion Centers as an intermediary should lead to an effective and standardized vetting process that moves incidents quickly through the eGuardian system. There are appropriate, layered compliance reviews in place to ensure quality reporting within the eGuardian system and eliminate irrelevant, erroneous, or otherwise improper incidents.
Collected information that meets the criteria2 to be “Shared” will be shared with the goal of creating an efficient, near real-time mechanism for SLTT and federal law enforcement partners to share information related to national security or other federal crimes to discern any otherwise unknown relationships among reported incidents.
Reports in the eGuardian system will have one of the following submission statuses:
- DRAFT—a threat or suspicious activity is reported to the agency within the eGuardian system by an authorized user and not entered in the SDR;
- SHARED—a threat or suspicious activity has been approved by a Fusion Center to the eGuardian system’s SDR and uploaded to the Guardian system for further vetting by a designated FBI Supervisor; or
- REPORTED—a threat or suspicious activity approved by a Fusion Center that does not meet the requirements of the SDR, is not entered in the SDR, and is uploaded to the Guardian system for further vetting by a designated FBI Supervisor; or
- CLOSED—a threat or suspicious activity reviewed and determined to have no nexus to terrorism, cyber, or criminal activity; or
- DELETED—a threat or suspicious activity that does not meet the eGuardian system standards, violates First Amendment protections, or possible duplicate reporting.
The eGuardian system handles DRAFT incidents in two ways depending on where in the eGuardian system workflow the draft incident exists and how the agency has configured their assigned workflow. When an agency creates (enters) an incident in the eGuardian system, the incident is only visible to the eGuardian system account holders from that agency. At this point, the incident is considered to be at agency-level control. The incident cannot be seen by the responsible Fusion Center nor can it be seen by the FBI or any other eGuardian system partner agency. This design enhances privacy protection by restricting access to Personally Identifiable Information (PII) to the agency that created the incident. This design function also allows the agency complete control over information they enter into the eGuardian system.
The eGuardian user or the partner agency supervisor (if applicable) may elect to retain the collected information (incident) within the eGuardian system pursuant to their own agency’s policy, but for no more than five years. The partner agency makes the determination whether to share the incident by submitting it to their responsible Fusion Center. The partner agency may also decide to close the incident. If the partner agency closes the incident prior to sharing, the Fusion Center, the FBI, or other partner organization will not have access to the incident. If the partner agency elects to submit the incident to their Fusion Center, the incident continues to remain in the DRAFT status and becomes viewable only to the user (creator), reporting agency supervisor (if applicable) and the FC Approver. The DRAFT incident is not yet viewable to other partner agencies or the FBI. At the Fusion Center, the DRAFT incident will be reviewed and approved by a FC Approver to identify and confirm the required criteria to mark the report as “Shared.”
Once an incident is SHARED or REPORTED, the incident is sent to a FBI Supervisor to determine if a Guardian assessment will commence or not. A Guardian assessment is the process in which the FBI examines incidents to determine whether there is a nexus to terrorism, cyber, or other criminal activity to warrant further investigation and/or to apply additional investigative resources as determined by the Attorney General and FBI Policies. Per FBI policy, a Guardian assessment must have an authorized purpose and cannot be based solely on race, ethnicity, national origin or First Amendment protected activities. There is no time limit for a Guardian assessment; however, these assssments are anticipated to be very short. If an assessment is not concluded within 30 days a designated FBI Supervisor must conduct a justification review every 30 days. A Guardian assessment will end with a disposition of “Positive,” “Negative,” or “Inconclusive” nexus to terrorism, cyber, or criminal activity. The disposition of the Guardian assessment will be immediately passed to and update the original eGuardian incident. All partner agencies, including the Fusion Center, involved with the approval of the eGuardian incident will be notified of the disposition.
(c) Information Collected, Maintained, Used, or Disseminated
The eGuardian system will collect terrorism and cyber threat information, suspicious activity reporting with a potential nexus to terrorism, and information that exhibits a reasonable suspicion of criminal activity (hereinafter collectively referred to as “collected information”). “Suspicious activity” is defined as observed behavior reasonably indicative of pre-operational planning related to terrorism or other criminal activity. In this context, pre-operational planning describes activities associated with a known or particularly planned operation or with operations generally, e.g. terrorist financing not necessarily tied to a specific plot. This definition is consistent with the definition utilized by the Program Manager/Information Sharing Environment (PM/ISE). Suspicious activities may include surveillance, cyber attacks, or probing of security or photography of key infrastructure facilities. The criminal and cyber information will include information regarding completed, ongoing, and future threats of violations of federal criminal statutes that the FBI is mandated or authorized to investigate. Clearly defined criminal information meets a higher threshold to indicate a crime has been committed, which will result in the collection of PII and all available identifiers regarding the subject of a report or incident, such as name, date and place of birth, unique identifying numbers, physical description, and similar attributes or other criteria that when combined can reveal a person’s identity.
Additionally, the applied definition of what constitutes possible criminal activity is “possess a reasonable suspicion an activity constituting a federal crime or a threat to national security has or may have occurred, is or may be occurring, or will or may occur and the investigation may obtain information relating to the activity or the involvement or role of an individual, group, or organization in such activity.” This definition, currently used by FBI investigators, and the PM/ISE definition of “suspicious activity,” will ensure the collected information reported is of the highest quality possible.
Collected information can be reported to law enforcement by private/public citizens or organizations; or may come directly from law enforcement personnel who observe and/or investigate activities. All collected information from SLTT law enforcement and other federal agencies will be required to be reviewed and approved by a Fusion Center (Fusion Center is an entity that has the duty and responsibility to review and approve collected information provided to the eGuardian system such as: a recognized Fusion Center, the headquarters component of a Federal agency, a command component to a Department of Defense (DOD) military service, or the GMU) prior to being shared with the eGuardian system. In all cases of data ingest, trained analysts or law enforcement personnel will make the judgment of whether the information exhibits the required predication before an incident is allowed to be “Shared” and added to the eGuardian system’s SDR. For consistency, analysts and law enforcement personnel will be provided the same level of training.
The eGuardian system has policy guidelines for the types of information that may not be entered into the system by any participating entity, including the FBI. For example, no entry may be made based solely on the ethnicity, race, or religion of an individual, solely on the exercise of rights guaranteed by the First Amendment, or the lawful exercise of any other rights secured by the Constitution or the laws of the United States. These restrictions will be prominently displayed when an individual accesses the eGuardian system and he or she will have to affirmatively indicate agreement to abide by these rules before being permitted to proceed to submit or view reports.
In addition, the following specific categories of information will NOT be permitted to be entered into the eGuardian system: classified information; information that divulges sensitive methods and techniques; Foreign Intelligence Surveillance Act (FISA) derived information; grand jury information; federal taxpayer information; sealed indictments; sealed court proceedings; confidential human source and witness information; Title III subject and intercept information; and other information that is subject to legal restriction. The eGuardian system has several layers of review to ensure compliance with eGuardian policy.
Information allowed to be “Shared”3 will be placed in the eGuardian system’s SDR, where it will be viewable and searchable by members of SLTT law enforcement and representatives of other federal law enforcement agencies that have granted access to the eGuardian system. “Shared” information must meet one of the following criteria:
- It must be potentially related to a past activity associated with terrorism; or
- It must be reasonably indicative of pre-operational planning related to terrorism or other criminal activity and have a potential nexus to terrorism. In this context, pre-operational planning describes activities associated with a known or particular planned operation or with operations generally (e.g. terrorist financing not necessarily tied to specific plots); or
- It must exhibit reasonable suspicion that the subject of the information is involved in criminal activity and the information is relevant to that criminal conduct or activity. (28 C.F.R. Part 23).
Information can also be entered into the eGuardian system as “Reported” utilizing the eGuardian system Express function. Information sent via the eGuardian system Express function will go directly into the Guardian system, will not be placed in the SDR, and will not be visible to anyone in the eGuardian system with the exception of the authoring agency and responsible Fusion Center. The purpose of this functionality is:
- Situations where the information is derived from or pertains to a matter that is considered too sensitive to share with the eGuardian community; or
- Situations where the required predication to mark the information “Shared” cannot be made without checking the holdings uniquely available to FBI in its capacity as a member of the United States Intelligence Community (USIC), but the authorizing agency believes the information should be reported to the FBI; or
- For FBI personnel to submit unclassified reports taken during field work directly into the Guardian system.
Information from eGuardian partner agencies will be submitted to the appropriate Fusion Center for analysis and review. The Fusion Center will make a determination whether the information warrants contribution to the eGuardian system, and if it does, whether it is contributed as “Shared” or “Reported.” If an eGuardian partner agency does not have a relationship with a Fusion Center, the information can be sent directly to the FBI’s GMU as detailed above.
All information will be subject to threshold screening by the submitting law enforcement officer or LE support personnel (i.e. analysts) and then will be submitted to a Fusion Center for a decision regarding adding the report to the eGuardian system and marking it “Shared” or “Reported.” This screening will ensure that trained law enforcement personnel and/or LE support personnel make the initial decision that an incident warrants further review. Furthermore, the eGuardian system workflow architecture is designed to restrict the ability to view submitted incidents to the reporter, the reporter’s supervisor, and the Fusion Center prior to being reviewed and approved for sharing. Incidents submitted to the eGuardian system will not be viewable to the eGuardian system users outside this workflow until the incident is approved and marked “Shared” by the Fusion Center.
Throughout the initial threat reporting process, regardless of where the incident originates, if a determination is made that the incident does not meet the criteria to be “Shared,” the information will not be added to the eGuardian system’s SDR. Once an incident is added to the eGuardian system’s SDR, it will be updated based on the findings of the Guardian assessment. If the Guardian system assessment disproves the original allegations, the incident will be given a negative finding status. The incident will be removed from the eGuardian system’s SDR within 180 days from the determination of the “Negative” status. If the Guardian assessment confirms the allegations, the incident will be given a “Positive” status. The eGuardian system incident will be removed from the SDR five years from the determination of the positive status. If a definitive conclusion cannot be reached as to the original allegations, the incident will be given an “Inconclusive” status. The incident will remain in the eGuardian system’s SDR for pattern and trend analysis and will be removed within five years from the determination of the inconclusive status. Most incidents that result in an inconclusive finding are incidents that lack PII, preventing an investigator from making a positive or negative status finding.
The incidents in the eGuardian system in many cases will originate from observations made by law enforcement officers and from information received from the general public. The incidents that are submitted are nevertheless vetted by trained law enforcement personnel and submitted through a second level of review at a Fusion Center before being added to the system. Because of the nature of the records at issue, the opportunity to consent to particular uses of the information is not provided.
(d) Access
In terms of access to the system, the eGuardian system user community will consist of only those law enforcement partners who qualify for access to the LEO Enterprise portal and who are specifically granted access to the eGuardian system by GMU personnel.
The eGuardian system access will be provided to SLTT and federal law enforcement officers and agencies that have a law enforcement mission need for information related to national security or other federal crimes. Other federal law enforcement entities, including Department of Justice components, Department of Homeland Security (DHS), and DOD entities with law enforcement missions, including force protection, will also be provided access.
Contractors will have access to the system in order to perform system maintenance and administration. In addition, to the extent contractors are assigned to any of the agencies that will have access to the eGuardian system, these individuals will also, upon proper vetting and clearances, be able to access the system to support a law enforcement function.
The eGuardian system will have the following user roles:
- USER: generally reserved for individuals who create the eGuardian system incidents and are responsible for investigating and/or conducting analysis of information related to national security or other federal crimes for their assigned agency.
- L1/L2 Supervisor: will control all of the disseminations of eGuardian system reports from their agency. All such work will be electronically submitted by a Supervisor role to a Fusion Center for review and approval to be “Shared” or “Reported.”
- FC Approver: reserved for the individuals assigned to a Fusion Center whose duty is to evaluate the incident and perform other administrative functions with respect to the system, and who reviews and approves an incident to be “Shared” or “Reported.”4 Individuals with this role have the ability to pass incidents to Guardian. A FC Approver is a designated person that has received the required SAR Analyst training.
- Read-Only user: the initial user role for all new users prior to being assigned an active role and for users that are law enforcement but will not be entering incidents.
Individual eGuardian partner agencies will be able to structure the above user roles and customize their workflow to fit their own needs. GMU, however, will exercise administrative oversight of the system, which will include auditing for appropriate system access and use. GMU will not assign a user role without prior collaboration with an eGuardian partner agency. Fusion Centers will also exercise administrative oversight of users at their locations. Each eGuardian partner agency will determine which of the above user roles will be assigned to their personnel.
Each user will have an individual account that requires a login and password for access to the LEO Enterprise portal. These accounts will be able to be audited. Each Fusion Center, moreover, will have the responsibility to audit their users and will be obligated to report suspected misuse and security compromise. Rules of Behavior and training will cover the appropriate use of data and the penalties for misusing the collected information.
The definitions of “suspicious activity” and “possible criminal activity” will be incorporated into the eGuardian User Agreement presented to a user prior to entering the eGuardian system. Individuals accessing the eGuardian system will have to confirm that they have read and understood the User Agreement and agree to be bound by the constraints articulated therein. The User Agreement will be acknowledged each time a user logs in to the eGuardian system.
(e) Information retrieval
The information provided to eGuardian can be retrieved in multiple ways. eGuardian has multiple searchable fields to include report number, name, the designated FBI Field Office responsible for the information, and the agency that reported the information. eGuardan also has an “All Incidents” view that lists all incidents shared in chronological order for ease of viewing. Viewing the report is available in the web view or a PDF document.
(f) Information Transmittal
Access to the eGuardian system will be available through a secure interface to the LEO Enterprise portal. The LEO Enterprise portal, a sensitive but unclassified web-based network containing only authorized members, will provide authentication capabilities for the eGuardian system users. To enter the LEO Enterprise portal, each individual eGuardian system user is required to use a login and password that is unique to that user. Passwords must be changed every 90 days. Membership to the eGuardian system via the LEO Enterprise portal is by application only and will be drawn only from agencies that have an originating agency identifier (ORI) and thus are recognized law enforcement entities. Membership must also be approved by GMU. In the event a partner agency with an operational need to share/receive information does not have an ORI, access may be granted by GMU supervisors on a case by case basis. The use of an ORI designation will help to ensure that only those law enforcement personnel who have been cleared for access are accepted.
(g) Interconnections
Consistent with the National Strategy for Information Sharing, vetted eGuardian system information is intended to be shared with other SLTT and federal law enforcement agencies, including task force members and analytical support personnel. As such, interconnectivity with other systems for the purposes of sharing information outside of the eGuardian system is limited to the PM/ISE Shared Spaces and the FBI Guardian system. The FBI Guardian system, like eGuardian, is a vital component to the Guardian Program that allows the FBI to assess collected information in a timely and uniform matter, as well as, share unclassified reporting to the eGuardian system. Collected information that meets the definition outlined by the PM/ISE5 and judged to be “Shared” will be viewable to vetted Fusion Center and DHS personnel with access to the PM/ISE SDR and other components that have an operational need to receive the information within the SDR. Collected Information will be made available electronically through the eGuardian network or through secure electronic media via a Secure File Transfer Protocol (SFTP).
Additional connections are made for the purpose of providing information to the eGuardian system. These connections are made by State and Local Fusion Centers with existing records management systems (RMS) and allows for the seamless sharing of collected information in an electronic format. eGuardian information is NOT passed to a Fusion Center’s RMS.
^ Back to TopSection 2: Information in the System
2.1 Indicate below what information is collected, maintained, or disseminated. (Check all that apply.)
The eGuardian system has the capability to retain all information sets listed below either in structured data fields built into the system or via free text data fields that allow the submitter to type the captured data elements. The checked boxes below reflect some of the possible range of information that may be found in eGuardian.
Identifying numbers |
|||||
Social Security |
X |
Alien Registration |
X |
Financial account |
X |
Taxpayer ID |
X |
Driver’s license |
X |
Financial transaction |
X |
Employee ID |
X |
Passport |
X |
Patient ID |
X |
File/case ID |
X |
Credit card |
X |
|
|
Other identifying numbers (specify): |
General personal data |
|||||
Name |
X |
Date of birth |
X |
Religion |
X |
Maiden name |
X |
Place of birth |
X |
Financial info |
X |
Alias |
X |
Home address |
X |
Medical information |
X |
Gender |
X |
Telephone number |
X |
Military service |
X |
Age |
X |
Email address |
X |
Physical characteristics |
X |
Race/ethnicity |
X |
Education |
X |
Mother’s maiden name |
X |
Other general personal data (specify): |
Work-related data |
|||||
Occupation |
X |
Telephone number |
X |
Salary |
X |
Job title |
X |
Email address |
X |
Work history |
X |
Work address |
X |
Business associates |
X |
|
|
Other work-related data (specify): |
Distinguishing features/Biometrics |
|
||||
Fingerprints |
X |
Photos |
X |
DNA profiles |
X |
Palm prints |
X |
Scars, marks, tattoos |
X |
Retina/iris scans |
X |
Voice recording/signatures |
|
Vascular scan |
|
Dental profile |
|
Other distinguishing features/biometrics (specify): |
System admin/audit data |
|||||
User ID |
X |
Date/time of access |
X |
ID files accessed |
X |
IP address |
X |
Queries run |
X |
Contents of files |
|
Other system/audit data (specify): |
Other information (specify) |
|
|
2.2 Indicate sources of the information in the system. (Check all that apply.)
Directly from individual about whom the information pertains | |||||
In person |
X |
Hard copy: mail/fax |
X |
Online |
X |
Telephone |
X |
|
X |
|
|
Other (specify): |
Government sources |
|||||
Within the Component |
X |
Other DOJ components |
X |
Other federal entities |
X |
State, local, tribal |
X |
Foreign |
|
|
|
Other (specify): |
Non-government sources |
|||||
Members of the public |
X |
Public media, internet |
X |
Private sector |
X |
Commercial data brokers |
X |
|
|
|
|
Other (specify): |
2.3 Analysis: Now that you have identified the information collected and the sources of the information, please identify and evaluate any potential threats to privacy that exist in light of the information collected or the sources from which the information is collected. Please describe the choices that the component made with regard to the type or quantity of information collected and the sources providing the information in order to prevent or mitigate threats to privacy. (For example: If a decision was made to collect less data, include a discussion of this decision; if it is necessary to obtain information from sources other than the individual, explain why.)
The most significant privacy risk is that the collected information, upon further vetting, is deemed to be innocuous, resulting in the overcollection of data. A related significant risk is that dissemination of PII will be overly broad and will include agency officials who do not possess the “need to know” to view the collected information. Need to know is determined by the eGuardian participating point of contact. The risks listed above are inherent in almost every electronic system and will be mitigated in eGuardian through training, retention policies, and multiple levels of review consisting of partner agencies, Fusion Centers, and designated FBI Supervisors.
In order to mitigate these risks, the following definitions for collected information the eGuardian system can accept are specified to protect the privacy, civil rights and civil liberties and to ensure eGuardian system retains collected information only as specified:
- The applied term “suspicious activity” is defined as “observed behavior reasonably indicative of pre-operational planning related to terrorism or other criminal activity.” In this context, pre-operational planning describes activities associated with a known or particularly planned operation or with operations generally, e.g. terrorist financing not necessarily tied to a specific plot. This definition is consistent with the definition developed and utilized by the PM/ISE.
- The applied definition of what constitutes possible “criminal activity” is “possess a reasonable suspicion an activity constituting a federal crime or a threat to national security has or may have occurred, is or may be occurring, or will or may occur and the investigation may obtain information relating to the activity or the involvement or role of an individual, group, or organization in such activity.” This definition, currently used by FBI investigators, and the PM/ISE definition of “suspicious activity,” will ensure the information reported is of the highest quality possible.
Access controls have been implemented, with scrutiny, to determine an individual’s “need to know” for access to the eGuardian system. These controls incorporate the LEO Enterprise portal access control policy and the eGuardian partner agency verification (discussed in section 6.2 of this document). This process ensures that only vetted personnel will have access to the collected information and PII contained within the eGuardian system.
Another privacy risk is the sum of the data entered into the eGuardian system may be greater than its component parts, with the result that new and different information about incidents and people alleged to be suspicious becomes apparent. This is, in significant part, the purpose of the eGuardian system, but it also creates a privacy risk and a risk of public misperception and possible misunderstanding. The privacy risk is that seemingly isolated incidents or observations may lead to more discovery of personal information about individuals in an effort to develop relationships (i.e., “connect the dots”) between these and other incidents and observations. This risk is mitigated in part by the inherent nature of the process; i.e., in the end only meaningful relationships that affect national security will be developed and acted upon. The incidents or observations containing personal information that remain isolated or the relationships among incidents that do not develop investigative value will not lead to further action and will be retained in the eGuardian system for the limited time indicated above. These on-going vetting and analytical processes should minimize the risk of unwarranted and inappropriate dissemination of irrelevant personal information.
^ Back to TopSection 3: Purpose and Use of the System
3.1 Indicate why the information in the system is being collected, maintained, or disseminated. (Check all that apply.)
Purpose |
|||
X |
For criminal law enforcement activities |
|
For civil enforcement activities |
|
For intelligence activities |
|
For administrative matters |
X |
To conduct analysis concerning subjects of investigative or other interest |
X |
To promote information sharing initiatives |
X |
To conduct analysis to identify previously unknown areas of note, concern, or pattern. |
|
For administering human resources programs |
|
For litigation |
|
|
|
Other (specify): |
3.2 Analysis: Provide an explanation of how the component specifically will use the information to accomplish the checked purpose(s). Describe why the information that is collected, maintained, or disseminated is necessary to accomplish the checked purpose(s) and to further the component’s and/or the Department’s mission.
The collection of PII is vital to information sharing programs as a whole, and allows investigators the ability to vet/assess/distinguish individuals to determine any appropriate investigative actions and to protect a person’s privacy, civil rights, and civil liberties listed under the Privacy Act of 1974. Without PII, the assessment of eGuardian incidents are confined to limited investigative capabilities and determining the final disposition of an eGuardian incident as “Positive” or “Negative” nexus to terrorism, cyber or other criminal activity would be difficult and frequently impossible.
On a daily basis the FBI and other law enforcement entities at the federal, state, local, tribal, and territorial levels obtain tips and leads about potentially suspicious activities. This information may come from direct observation by the law enforcement officers, or from information provided to or by other law enforcement personnel, other agencies, the public, or the FBI’s own investigative activities. The eGuardian system allows these tips and leads, in the form of SARs, with a potential nexus to terrorism, cyber, or criminal activity, to be collected in a singular format and vetted.
For criminal law enforcement activities, the eGuardian system’s format allows a partner agency to document a SAR with an unknown nexus to terrorism, cyber, or criminal activity, and provides a platform to collaborate with other law enforcement agencies in a secure SDR.
The “Search” and “Reports” features available in the eGuardian system also allow an eGuardian user to conduct analysis to identify previously unknown areas of note, concern, or pattern, as well as alert the eGuardian community as to results found.
Finally, the eGuardian system was designed to promote information sharing initiatives specifically in support of President’s National Strategy for Information Sharing, to facilitate suspicious activity reporting. SARs are key information exchanges between the federal, state, local, tribal, and territorial partners.
3.3 Indicate the legal authorities, policies, or agreements that authorize collection of the information in the system. (Check all that apply and include citation/reference.)
Authority |
Citation/Reference |
|
X |
Statute |
28 U.S.C. 533, 534; 18 U.S.C. 1030 |
X |
Executive Order |
E.O. 12333 |
X |
Federal Regulation |
28 C.F.R. Part 16, Part 23, and § 0.85 |
|
Memorandum of Understanding/agreement |
|
X |
Other (summarize and provide copy of relevant portion) |
Annex II to NSPD 46 delineates FBI responsibilities related to intelligence and counterterrorism; Section 1016 of IRTPA establishes roles and responsibilities of the PM/ISE. |
3.4 Indicate how long the information will be retained to accomplish the intended purpose, and how it will be disposed of at the end of the retention period. (Reference the applicable retention schedule approved by the National Archives and Records Administration, if available.)
Even though 28 C.F.R. Part 23 does not apply to the eGuardian system, the FBI has adopted the records retention period currently in effect for state criminal intelligence systems articulated under 28 C.F.R. Part 23. Also, as eGuardian is a component of the FBI Guardian Program, the retention periods for collected information provided to eGuardian is defined in the National Archives and Records Administration (NARA) retention schedule for the Guardian Threat Tracking system.6
The eGuardian system considers all incidents submitted to the system to be the property of the submitting agency; therefore, should a submitting agency desire that an incident be removed from the system prior to the defined records retention periods, the incident will be removed.
The eGuardian user or the partner agency supervisor (if applicable) may elect to retain the collected information (incident) within the eGuardian system pursuant to their own agency’s policy, but for no more than five years. The partner agency makes the determination whether to share the incident by submitting it to their responsible Fusion Center or to close the incident. If the partner agency closes the incident prior to sharing, the Fusion Center, the designated FBI supervisors, nor any other partner organization will have access to the incident. If the partner agency elects to submit the incident to their Fusion Center, the incident continues to remain in the DRAFT status and becomes viewable only to the user (creator), partner agency supervisor (if applicable) and the FC Approver. The DRAFT incident is not yet viewable to other partner agencies or the designated FBI supervisors. At the Fusion Center, the DRAFT incident will be reviewed and approved by a FC Approver to identify and confirm the required criteria to market the report as “Shared.”
If the Guardian assessment resulted in a “Positive” nexus to terrorism, cyber, or criminal activity, the incident will be retained for five years within the eGuardian system. If the disposition resulted in an “Inconclusive” nexus to terrorism, cyber, or criminal activity, the incident will be retained for five years. If the disposition resulted in a “Negative” nexus to terrorism, cyber, or criminal activity, the incident will be retained for a period no longer than 180 days of the last incident update. The 180 day time period for “Negative” disposition allows time for the originating partner agency or the Fusion Center to provide potential updates or clarifying information that may result in the incident being reassessed.
Once an incident is SHARED or REPORTED, the incident is sent to a FBI Supervisor to determine if a Guardian assessment will commence or not. Per FBI policy, Guardian assessment must be completed or reviewed by a FBI supervisor every 30 days with possible extensions. A Guardian assessment will end with a disposition of “Positive,” “Negative,” or “Inconclusive” nexus to terrorism, cyber, or criminal activity. The disposition of the Guardian assessment will be immediately passed to and update the original eGuardian incident. All partner agencies, including the Fusion Center, involved with the approval of the eGuardian incident will be notified of the disposition.
3.5 Analysis: Describe any potential threats to privacy as a result of the component’s use of the information, and controls that the component has put into place to ensure that the information is handled, retained, and disposed appropriately. (For example: mandatory training for system users regarding appropriate handling of information, automatic purging of information in accordance with the retention schedule, etc.)
Upon entering the eGuardian system, the user will be provided a set of behavioral rules, in concert with the standard eGuardian User Agreement7 about the sensitivity of the information, which will describe expectations for use of the collected information. In addition, although law enforcement personnel with access to the eGuardian system are trained officials and understand the rules concerning dissemination of information, additional web-based trainings on the importance of security and the protection privacy, civil rights and civil liberties (NSI Line Officer Training video), and eGuardian system functionality will be provided. An additional “SAR Analyst” training is required for eGuardian system users with the duty to review and approve eGuardian incidents that will be “Shared” or “Reported.”
The eGuardian system will have restricted access and will follow a process regulated by GMU and the LEO Enterprise portal. Prospective users must first clear the vetting requirements imposed by LEO Enterprise portal policies, which include demonstrating that a proposed user is a member of an authorized law enforcement agency that is assigned an ORI or an agency with an operational necessity to share/receive information. In the event an agency with an operational necessity does not have an ORI, access may be granted by GMU supervisors on a case by case basis (ex. DHS National Infrastructure Protection Program does not possess Criminal Justice Information Systems (CJIS) recognized LE credentials but is a vital component to reporting suspicious activity and other threat related information). Additionally, access to the eGuardian Special Interest Group (SIG) will be controlled by GMU, which must approve all users. The procedures for system access are documented in policy and procedure documents developed by GMU for the eGuardian system.
^ Back to TopSection 4: Information Sharing
4.1 Indicate with whom the component intends to share the information in the system and how the information will be shared, such as on a case-by-case basis, bulk transfer, or direct access.
Recipient |
How information will be shared |
|||
Case-by-case |
Bulk transfer |
Direct access |
Other (specify) |
|
Within the component |
|
X |
X |
|
DOJ components |
|
X |
X |
|
Federal entities |
|
X |
X |
|
State, local, tribal gov’t entities |
|
X |
X |
|
Public |
|
|
|
|
Private sector |
|
|
|
|
Foreign governments |
|
|
|
|
Foreign entities |
|
|
|
|
Other (specify): |
|
|
|
|
4.2 Analysis: Disclosure or sharing of information necessarily increases risks to privacy. Describe controls that the component has put into place in order to prevent or mitigate threats to privacy in connection with the disclosure of information. (For example: measures taken to reduce the risk of unauthorized disclosure, data breach, or receipt by an unauthorized recipient; terms in applicable MOUs, contracts, or agreements that address safeguards to be implemented by the recipient to ensure appropriate use of the information—training, access controls, and security measures; etc.)
Sharing PII carries with it a risk of improper use and/or improper dissemination. The Privacy Act governs the dissemination of information internally within an agency/department as it is appropriate when there is a need to know. Because other DOJ law enforcement components are expected to be the prime recipients of any data that is shared internally, the contemplated internal sharing will meet the Privacy Act requirement. Cookies, which are pieces of text stored on an agency user’s computer hard disk, will be used to track access to specific information. Also, only after the incident is “Shared” and passed to Guardian by the Fusion Center is it visible to anyone beyond the originating agency and the responsible Fusion Center. There is a risk of data breach from the LEO eGuardian SIG, but the security features of the LEO Enterprise portal, coupled with the ability to audit eGuardian system users, helps to minimize this risk. These risks are inherent in any networked computer system with multiple users accessing via the Internet.
If a Federal or SLTT eGuardian partner agency deems the collected information to be legally prohibitive or too sensitive in nature to be shared with the eGuardian SDR due to legal policy (individual by state/jurisdiction) or operational constraints, the eGuardian partner agency can “Report” the collected information to the FBI without sharing the information to the eGuardian and NSI SDRs. At this time there are no policies or other governances preventing the sharing of collected information directly with the FBI.
Consistent with the National Strategy for Information Sharing, vetted eGuardian information is intended to be shared with other federal, or SLTT law enforcement agencies, including task force members and analytical support personnel. Collected information that meets the criteria to be “Shared” will be shared with the goal of creating an efficient, near real-time mechanism for law enforcement partners at the federal, state, local, tribal and territorial level to share information related to national security or other federal crimes and suspicious and to discern any otherwise unknown relationships among reported incidents.
Information is made accessible either through LEO eGuardian SIG, or hard copy information may be printed and disseminated to appropriate law enforcement and law enforcement support personnel. User agreements will require that information obtained through the eGuardian system shall not be disseminated without the approval of a fusion or fusion–like center or the originating partner agency.
Upon entering the eGuardian system, the user will be provided a set of behavioral rules, in addition to the standard login disclaimer about the sensitivity of the information, which will describe expectations for use of the collected information. In addition, although law enforcement personnel with access to the eGuardian system are trained officials and understand the rules concerning dissemination of information, additional web-based trainings on the importance security and privacy, civil rights and civil liberties (NSI Line Officer Training video) and eGuardian system functionality will be provided. An additional SAR Analyst training is required for eGuardian system users with the duty to approve eGuardian incidents.
A caveat identifying eGuardian information as Law Enforcement Sensitive or For Official Use Only will be included in any dissemination to include those to the Guardian system. It is anticipated that these labels will be replaced by a uniform designation as a matter of federal policy. When that policy is fully implemented, the caveat in eGuardian system will be amended as required. In addition, the official responsible for final approval and marking information “Shared” or “Reported” must have completed the SAR Analyst training.
^ Back to TopSection 5: Notice, Consent, and Redress
5.1 Indicate whether individuals will be notified if their information is collected, maintained, or disseminated by the system. (Check all that apply.)
X |
Yes, notice is provided pursuant to a system of records notice published in the Federal Register and discussed in Section 7. |
|
|
Yes, notice is provided by other means. |
Specify how: |
|
No, notice is not provided. |
Specify why not: |
5.2 Indicate whether and how individuals have the opportunity to decline to provide information.
|
Yes, individuals have the opportunity to decline to provide information. |
Specify how: |
X |
No, individuals do not have the opportunity to decline to provide information. |
Specify why not: eGuardian incidents in many cases will originate from observations made by law enforcement officers and from information received from the general public. The incidents that are submitted are nevertheless vetted by trained law enforcement personnel and submitted through a second level of review at a Fusion Center before being added to the eGuardian system. |
5.3 Indicate whether and how individuals have the opportunity to consent to particular uses of the information.
Yes, individuals have an opportunity to consent to particular uses of the information. |
Specify how: |
|
X |
No, individuals do not have the opportunity to consent to particular uses of the information. |
Specify why not: Because of the nature of the records at issue, the opportunity to consent to particular uses of the information is not provided. |
5.4 Analysis: Clear and conspicuous notice and the opportunity to consent to the collection and use of individuals’ information provides transparency and allows individuals to understand how their information will be handled. Describe how notice for the system was crafted with these principles in mind, or if notice is not provided, explain why not. If individuals are not provided the opportunity to consent to collection or use of the information, explain why not.
Applicable regulations found in 28 CFR Part 16, Subparts A and D, which have been issued pursuant to the Freedom of Information and Privacy Acts, govern requests for access to information in FBI files. To the extent that other federal agencies that contribute information to eGuardian have processes in place to govern access or redress, those processes may apply to the information contributed by these agencies. As entries into eGuardian will most often be made by state and local law enforcement officers, the information may be retained in state and local agency records as well. Access to and opportunity to seek redress for those records is controlled by state law and procedures. The previously approved eGuardian system PIA was published and made available to the public via the FBI.GOV website and to eGuardian partner agencies on the eGuardian LEO SIG page.
As a general matter, although FBI records are exempt from Privacy Act access and amendment procedures, the FBI strives to maintain accurate information and will, in its discretion, consider amendment requests. 28 C.F.R. 16.41 and 16.46 provide information on individual access and amendment of FBI records. Amendment of FBI records is a matter of discretion as the records are exempt from the Privacy Act amendment provisions.
Redress is generally not available except to the extent described above, but the eGuardian system is intended to be a dynamic system where corrections and updates will be made as necessary during the short process of ascertaining whether a particular eGuardian incident merits further investigation because of a potential nexus to terrorism, cyber or criminal activities. If an eGuardian incident is concluded with a “Negative” disposition, the eGuardian incident will be deleted from the system within 180 days.
The eGuardian system is set up so that partner agencies can restrict the information they contribute in order to deny access to certain groups or individuals. This choice takes into account various state laws which have differing privacy requirements for sharing information and also allows eGuardian partners more control over their own information. A decision was also made to control access to incidents in eGuardian to sworn law enforcement and analytical support personnel in order to ensure that those with training in handling sensitive law enforcement and information related to national security or other federal crimes are the only ones who can access the system. The decision was made to use the LEO Enterprise portal as the hosting organization because it is an FBI-owned, web-based, sensitive but unclassified network that provides controlled access to facilitate information sharing. Placement of eGuardian system on the Internet allows for ease of use, but potentially exposes PII to outside attack. However, this is mitigated through the use of the LEO Enterprise portal, which provides restricted and more secure access to this information, enhancing both privacy and security.
^ Back to TopSection 6: Information Security
6.1 Indicate all that apply.
[Language removed]
6.2 Describe how access and security controls were utilized to protect privacy and reduce the risk of unauthorized access and disclosure.
Additionally, all individuals needing access to the eGuardian system must do so as a member (either be sworn law enforcement or personnel working in direct support of a law enforcement function) of an accredited law enforcement organization, DHS, or other Federal agency participating in the eGuardian program. These organizations are vetted and verified by FBI GMU personnel prior to being accepted into the eGuardian system as an approved participating agency. Individual users must be verified by designated participating agency points of contact before being granted access to the system. Lastly, upon login, an eGuardian system user will be assigned to a read-only default organization and will be assigned to their partner agency once GMU personnel confirm eligibility and the assigned user role that was designated by the partner agency point of contact.
Contractors will have access to the system in order to perform system maintenance and administration. In addition, to the extent contractors are assigned to any of the eGuardian partner agencies that will have access to eGuardian, these individuals will also, upon proper vetting and clearances, be able to access the system in support of a law enforcement mission.
As indicated previously, eGuardian web-based training will be available to the user to assist with system access and procedure. In addition, eGuardian incident approvers/Fusion Center Supervisors are required to attend a SAR Analyst course. eGuardian incident approvers from Fusion Centers will be provided classroom training that will emphasize their roles, responsibilities, and reinforce privacy concerns. A privacy statement will also be contained in the user agreement electronically signed by each eGuardian system user. In addition, each eGuardian system user is required to view and acknowledge viewing the NSI Line Officer Training video. The NSI Line Officer Training video reiterates the proper collection of suspicious activity reporting and proper handling of PII.
The user agreements and acceptable use policies for the LEO Enterprise portal and eGuardian system are displayed every time users log into the systems and the users cannot access the systems without agreeing to these policies with every login. The user agreements outline proper collection and handling of information and remind users of potential administrative, civil or criminal penalties for violations of the system policies.
Incidents entered into the eGuardian system undergo multiple levels of review for suitability, and privacy and civil rights/civil liberties protections. Several of these reviews occur when the eGuardian incident is shared with the Guardian system. If at any point in this process a privacy or civil rights/civil liberties concern is identified, the eGuardian incident will not be shared, or if already shared, it will be deleted from the eGuardian system and Guardian.
If the eGuardian incident is determined to be shared, addition protections are provided in protection of PII. eGuardian uses SSL encryption for transmission (sharing) and is in compliance with FIPS 140-2. In addition, Antivirus software is installed on all servers to prevent the introduction of malicious code and spyware to protect.
[Language removed]
^ Back to TopSection 7: Privacy Act
7.1 Indicate whether a system of records is being created under the Privacy Act, 5 U.S.C. § 552a. (Check the applicable block below and add the supplementary information requested.)
X |
Yes, and this system is covered by an existing system of records notice. Provide the system name and number, as well as the Federal Register citation(s) for the most recent complete notice and any subsequent notices reflecting amendment to the system: Data Warehouse System, 77 Fed. Reg. 40630 (July 10, 2012) |
|
Yes, and a system of records notice is in development. |
|
No, a system of records is not being created. |
7.2 Analysis: Describe how information in the system about United States citizens and/or lawfully admitted permanent resident aliens is or will be retrieved.
Information within the eGuardian system can be retrieved via multiple avenues. The eGuardian system provides the ability to utilize a keyword, location, agency, status, custom or saved search functions. The keyword search would be utilized for retrieval of information pertaining to United States citizens and/or lawfully admitted permanent resident aliens. The search string allows for an ‘all these words’ or ‘match exact phrase’ ability with a blank text field to allow any user to type specific search criteria.
The search terms that could be used by the user is unlimited, but the specific fields found in the subject category for the eGuardian system are: name, first name, middle name, suffix, sex, description, U.S. person, public figure, height (inches), weight (pounds), birth date, birthplace, eye color, hair color, race, race subtype, complexion and build. Most often, the individual’s full name or last name would be utilized to retrieve information related to a report within the eGuardian system. The information itself is captured in the incident view, both web and the PDF document.
In addition, there are other identifying numbers and personal data that may or may not be included within a report in the eGuardian system if the originating agency or subsequent eGuardian or Guardian system users decide to input into the report. If it was included in a report, then that information can be used to retrieve information about United States citizens or lawfully admitted permanent resident aliens.
^ Back to TopEndnotes
1 An eGuardian partner agency can remove information that was “Shared” or “Reported” to eGuardian if further identification and vetting resulted in a violation of privacy, civil right or civil liberties, sensitive investigation related to the law enforcement department, or does not meet the threshold for entry into eGuardian.
2 The criteria referenced are specified further later in this document.
3 Definitions for “Shared” and “Reported” specified earlier in this document.
4 A user assigned as a FC Approver role is usually a supervisor at his/her assigned agency. However, users assigned to L1/L2 Supervisor roles are NOT FC Approvers.
5 The PM/ISE is currently operating on Functional Standard (FS) 1.5. An update is currently under review and certification with the PM/ISE.
6 The National Archives and Records Administration disposition authority Job numbers for the Guardian Program, which includes eGuardian is N1-065-09-16 (original dated 5/13/2009) and N1-065-11-40 (updated 11/10/2011).
7 The eGuardian User Agreement is acknowledged each time a user logs into the eGuardian system. The key points to this agreement are, (1) To prevent unilateral investigative activities by multiple LE agencies, and (2) Acknowledge that the user has viewed the NSI Line Officer training video and additional behavioral rules.
^ Back to TopUpdate
(See following section for Update)
^ Back to Top