'

Legislation: To stop the next Snowden, social media security clearance screenings

The Enhanced Security Clearance Act of 2014 (HR 5482) hopes to employ 'social media screening' to flag violent psychopaths, and prevent the next Edward Snowden from getting a clearance.

legislation-snowden-navy-yard-shooter-social-media-security-clearance-v1
The company that vetted Edward Snowden also vetted Aaron Alexis, the Navy Yard shooter.

The Enhanced Security Clearance Act of 2014 (HR 5482) hopes to use "social media screening" to prevent the next Edward Snowden -- or Navy Yard shooter -- from obtaining a U.S. Federal Government security clearance.

The legislation's author, U.S. Representative Mike Kelly (R-PA), introduced the bill Wednesday, elaborating on his legislation's reasoning:

"Because of OPM’s [the Office of Personnel Management] outdated practices, nefarious characters with security clearances have been able to obtain and maintain employment within our government, which has ultimately resulted in tragedy and treason.

"This bill will help stop the Snowdens, Mannings, Hasans, and Alexis’s of the world from holding any federal job that could be abused at the expense of our national defense."

Kelly added, "In particular, the bill will update government background checks to include an applicants’ publicly available electronic data including social media accounts such as Facebook and Twitter."

"Bill takes the wrong approach"

The Electronic Frontier Foundation didn't mince words about HR 5482.

EFF Senior Staff Attorney Lee Tien told ZDNet, "This bill takes the wrong approach."

Tien explained, "It recognizes the backlog in "overdue periodic reinvestigations" but they double down by intensifying the check. Yet everyone agrees that over-classification is a problem."

"I would love to see them reduce the need for clearances in the first place by sharply reducing classification," he added.

In March, security clearance reform was among the cross-agency priority goals listed in President Obama’s fiscal 2015 budget.

Indeed, it's estimated that over five million security clearances are currently held by government employees and contractors.

Rep. Kelly's announcement page for H.R. 5482 included comment from Geoffrey Andrews, the Chief Operating Officer of Santa Barbara, Calif. based Social Intelligence -- a company that provides a suite of products, notably for government security clearance investigations. For that, SI offers "Social Intel Background Investigation", "Social Intelligence Monitoring" and "Identity Resolution" tools.

Andrews told ZDNet,

When conducting social media screening as part of the security clearance process, the government is looking for evidence of behavior that is inconsistent with the profile of someone who should receive security clearance. They are looking for information related to a person’s character, judgment, and trustworthiness.

This can include anything from evidence of illegal activity, drug use as well as identifying discrepancies between the information a subject provided the government versus the information that is online.

When asked what kind of results his company's searches typically yield, Andrews said, "In our work for large employers we have found countless examples of active job seekers, with publicly available online information related to illegal activity, demonstrations of racism and intolerance, as well as other types of information which should be taken into consideration as employer’s screen potential employees."

H.R. 5482 raises questions about privacy and implementation in equal measure.

The Act's language covers everything that might encompass things like Twitter, Facebook, Flickr, Reddit -- things we'd expect -- but also ropes in comments:

(...) publicly available online electronic information regarding such individual, including blogs, microblogs, forums, news Web sites, and picture and video sharing Web sites;

(B) publicly available social media data regarding such individual, including pictures, videos, posts, or comments;

An EFF spokesperson told ZDNet, "Also note that the privacy issues aren't just for the person being investigated but also for those who associate with the person, as their communications would be caught up in the process."

Social Intelligence's COO was a bit more vague with the subject of individual (or bystander) privacy, erring his response toward building trust within the industry. "We need to build a “community of trust” between the security professionals responsible for vetting personnel and the people who operate in an environment where they have access to classified or sensitive information."

Andrews continued:

By working with firms that have a proven track record and established best practices for conducting these types of searches in accordance with the Fair Credit Reporting Act, it is possible for social media screening to become a routine standardized part of the background investigation process.

Maybe Social Intelligence is just seeing an obvious opening.

Special Feature

IT Security in the Snowden Era

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. When we look back a decade from now, we expect this to be the biggest story of 2013. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices.

Read More

The company that vetted Edward Snowden -- the United States Investigation Services (USIS) -- also vetted Aaron Alexis, the Navy Yard shooter.

USIS has been in hot water ever since; it was also hacked in August. This month, lawmakers formally protested the awarding of a $190 million border security contract to USIS, in a letter saying "the U.S. Department of Justice has alleged that this firm charged with handling a large portion of background checks for the government “dumped” over 665,000 cases without having properly reviewed them."

The AP reported Alexis "lied about a previous arrest and failed to disclose thousands of dollars in debts when he applied for a security clearance (...) federal investigators dismissed the omissions, and made one of their own — deleting any reference to Aaron Alexis' use of a gun in that arrest."

 "The gaps in his record," the September 2013 AP report continued, "eventually allowed him to work in the secure Navy building where he gunned down 12 workers last week, underscoring weaknesses with the clearance process that Navy officials are targeting for change."

But can you govern the social media screening of a violent psychopath in the same way as a "whistleblower"?

As for answering that question, Andrews gave us a truism-pastiche, saying the social media screening his company is poised to do for the US government "provides meaningful insight to security professionals as they vet individuals applying to gain access to classified information."

Yet until the details are clarified -- I'll assume that's where we'll keep finding the proverbial devil.