Department of Justice lawyers revealed Wednesday that the FBI improperly gave agents access to a suspect’s private online communications that only a few agents were authorized to see, sparking privacy concerns that investigators could be sharing too much information without permission.
Virgil Griffith, a young technologist who gave a public talk about cryptocurrencies at a conference in North Korea, was the subject of an FBI search warrant to obtain information from his Facebook and Twitter accounts in March 2020.
The data was uploaded to the FBI’s internal data analysis program created by Palantir, a CIA-funded company that specializes in sorting through huge amounts of information and connecting the dots. And, according to a three-page DOJ letter, an FBI special agent who was not part of the investigation into Griffith but was working on a separate investigation into someone who had spoken to Griffith online accessed that data without permission from the FBI. A year later, three more FBI analysts started poking around the same evidence without approval.
All that file sharing flies in the face of a general rule: law enforcement agents receive narrow search warrants to access specific private information. Judges try to limit unjustified government intrusions into personal lives, so typically, a separate investigation requires a separate search warrant, according to constitutional scholars.
“When you have a system of this magnitude, there have to be safeguards in place to know who’s accessing it and when,” said Saira Hussain, an attorney at the Electronic Frontier Foundation, a group that advocates privacy.
According to the DOJ, the cause of the mistake was simple: someone forgot to flip a switch.
“When data is loaded onto the platform, the default setting is to permit access to the data to other FBI personnel,” the DOJ explained, adding that “those default settings were not changed to restrict access” to solely the agents working on the case.
The DOJ and FBI are now assessing the damage. The court letter to U.S. District Judge P. Kevin Castel said they are now exploring “to what extent this issue—i.e., the loading of restricted data onto the platform without restriction—might have impacted other cases.”
Palantir issued a statement asserting that what happened was not a “glitch,” as The New York Post described when it broke the news on Wednesday.
“There was no glitch in the software. Our platform has robust access and security controls. The customer also has rigorous protocols established to protect search warrant returns, which, in this case, the end user did not follow,” the statement read.
But the company would not identify the software it provided to the FBI, describe its purpose, or say whether it is helping the government conduct its review.
The FBI has at least one publicly visible contract worth $19 million to Palantir for services that started in September 2017. Documents unearthed by the Electronic Privacy Information Center, an advocacy group, show that both the FBI and ICE have used “FALCON,” a customized version of a Palantir program called Gotham that quickly sorts incoming data and helps military and police.
John Davisson, an attorney at EPIC, said the software disclosed by the DOJ “appears to be something novel and different, and the FBI needs to disclose more about what it is and how it’s used.”
“Unless the FBI happens to catch, correct, and disclose that initial permissions error, Bureau personnel can make unrestricted use of the data,” he told The Daily Beast. “That’s a massive problem, and this case illustrates why.”
The FBI did not respond to questions, leaving unclear whether the agency has reconfigured the program’s default settings or determined how many times this has happened with other investigations.
The FBI is not known for upholding rigorous guardrails around sensitive information. It has frequently flouted rules meant to protect Americans’ privacy and searched through National Security Agency datasets on Americans without court orders, as the Foreign Intelligence Surveillance Court revealed in an unsealed finding earlier this year.
Law enforcement agents were sifting through data obtained through warrantless surveillance under Section 702 of the Foreign Intelligence Surveillance Act (FISA) for other cases on organized crime and health-care fraud, the court said. And the FBI was warned against this kind of behavior and told how it could jeopardize Americans’ protections against unreasonable searches and seizures back in 2018.
A 2013 report from the American Civil Liberties Union noted how the FBI’s massive, digital “Investigative Data Warehouse”—which became supercharged by the Patriot Act after the Sept. 11 attacks—eventually came under fire from Congress when it demanded an audit. When the FBI refused to give auditors access, Congress paused funding temporarily but eventually the matter became largely forgotten.
Most privacy experts who spoke to The Daily Beast on Thursday commended the FBI for addressing the problem, but warned that this episode foreshadows more serious privacy debacles down the line.
“Our privacy should not be dependent on the actions of individual prosecutors and FBI agents. While it’s good that the defendant in this case was notified and the government is taking steps to delete the data, the government is still ingesting huge amounts of data and Palantir makes this data widely accessible by default,” said Ángel Díaz, a privacy expert who teaches at the University of California Los Angeles law school. “There may be other cases where this same kind of wide data sharing goes on undetected.”
Aside from the potential privacy concerns for the American public in general, this slip-up could complicate the case that federal prosecutors have against Griffith if his defense team claims it somehow tainted the investigation.
“We are deeply concerned about what happened here. We are investigating the situation and Mr. Griffith’s potential legal remedies,” said Brian E. Klein, his defense attorney in Los Angeles.
“This is not the first time we’ve seen the FBI wrongly searching through people’s sensitive emails and data in ways that the Fourth Amendment prohibits,” said Patrick Toomey, an attorney who specializes in national security matters at the ACLU.
A similar miscalculation by the FBI in New York ruined its 2018 case against Ali Sadr Hashemi Nejad, a banker accused of dodging U.S. sanctions by hiding how Iranian money paid for a $500 million housing project in Venezuela.
In that case, the Manhattan district attorney obtained a ton of information with a search warrant and handed it off to the FBI. Instead of identifying the relevant stuff and ditching the rest, federal agents vigorously sorted through it all—without getting their own search warrant.
U.S. District Judge Alison J. Nathan dismissed the case this past February. In her order, she ripped into FBI agents who “uploaded raw email search-warrant returns into its ‘BIDMAS’ database and searched this database hundreds of times, contrary to the Government’s representations… and almost certainly in violation of the Constitution.” And she excoriated prosecutors who tried to “bury” the evidence.
This kind of unauthorized access poses a greater danger to the public’s liberty now because law enforcement relies on such powerful surveillance tools and analytical software that can piece it all together, said Michael German, a former FBI special agent who is now scholar at the Brennan Center for Justice. And repeat mistakes could hurt future investigations, he warned.
“If the judge doesn’t feel confident the FBI will honor the limits they impose, they’ll be less likely to grant them permission in the future,” German said. “The FBI has shown that it is ineffective in enforcing limits.”