On May 12, 2016 the Office of the Director of National Intelligence (ODNI) issued SEAD 5, “Collection, Use, And Retention of Publicly Available Social Media Information in Personnel Security Background Investigations and Adjudications.” This was preceded by the December 2015 enactment of the federal “Consolidated Appropriations Act, 2016,” which directed the use of relevant and appropriate information from social media and such other sources for security clearance eligibility determinations. A news release issued on May 13, 2016, briefly explained the rationale and limitations of the new directive.
SEAD 5 is a policy document that requires a number of actions to be completed before any federal agency can begin cyber vetting—all of which will take time.
SEAD 5 requires ODNI to develop standards and issue guidelines for the collection, use, and retention of social media information. This may take several months. When ODNI issued SEAD 2 on the use of polygraph in September 2014, it wasn’t until February 2015 that ODNI issued a corresponding Intelligence Community Policy Guidance (ICPG 704.6).
Requirements before implementation of cyber vetting
Based on the ODNI standards and guidelines, federal agencies will have to create training curriculum and insure that their investigators and adjudicators are properly trained on the collection and adjudication of social media information. The training will either be a collaborative effort by several agencies or a single agency like OPM or the Defense Security Service will provide the training for other agencies. It wouldn’t be efficient to train field investigators to collect social media information. It’s more likely that the collection of this information will be assigned to a group of investigative technicians at an investigative agency’s headquarters, for example at OPM’s Federal Investigations Processing Center (FIPC) where the other standard checks of computer accessible records are performed. Ideally, an investigative technician would use a computer program to collect and report the social media information.
Each agency intent on collecting, using, or retaining social media information will need to publish a “30-Day Notice and Request for Comments” in the Federal Register and publish a “System of Records Notice” when the record system is established or revised.
Before any cyber vetting can take place, a new “Authorization for Release of Information” needs to be put into use. The release is part of the Standard Form 86 (SF86), Questionnaire for National Security Positions, and must be signed by all applicants. The new release will need additional wording that specifically advises the applicant of the collection of public available social media information. In March 2013 the Office of Personnel Management (OPM) proposed changes to the SF86 including a change to the release that would permit the collection of information from other sources, “to include publically available electronic information.” It may be months before a new SF86 is implemented. OPM will also need to add cyber vetting to their list of investigative services and figure out how much to charge for this new service.
Important or Intrusive?
Some people will argue that the Government’s review of information on an applicant’s Linkedin® or Facebook® page will have a chilling effect on their right to free speech. But the same applies when Government investigators ask an applicant’s friends and associates about the applicant’s past conduct.
Some people will characterize cyber vetting as overly intrusive. But all Personnel Security Investigations (PSIs) are inherently intrusive, and no one is subject to a PSI unless they apply for a clearance and sign the Authorization for Release of Information form. If you want to apply for a security clearance then you’ll have to surrender some of your right to informational privacy, if such a right even exists (see Justice Scalia’s January 2011 separate concurring opinion in the January 2011 Supreme Court decision regarding “NASA v. Nelson.).
According to a 2010 study by Microsoft, “79% of US HR/Recruitment professionals. . . use online reputational information to evaluate candidates most or all of the time.” In today’s environment it’s hard to justify withhold this investigative tool from the U.S. Government for national security clearances. The purpose of security clearance investigations is to collect information from a variety of sources and identify applicants who should not be eligible for security clearances. Social Media are merely new sources where information can be collected about people’s behavior, and the use of Social Media is just an extension of existing investigations.
The U.S. Government has sponsored a number of studies to determine the usefulness of cyber vetting in security clearance determinations and to identify problems. As early as June 2009 a study sponsored by ODNI on the use of Cyber Vetting for security clearance purposes was completed. It involved 349 test cases of intelligence agency applicants who consented to participating in the study and found “adverse information” on 28% of the cases. The study estimated a price of $375 per case. No doubt some pilot programs have been initiated since this study was completed.
In December 2010 the International Association of Chiefs of Police and the Defense Personnel Security Research Center (PERSEREC) produced a Special Report on Cybervetting for law enforcement agencies. The report doesn’t provide a “model” or “suggested” policy, but rather guidelines for agencies to develop their own policy based on the needs of their individual departments and the communities they serve. Except for a portion of the report that indicates, “Applicants, candidates, and incumbents may be asked to access password-protected websites so that the recruiter or background investigator can review their profiles, blogs, or other online forums for disqualifying content,” the report is useful in understanding how cyber vetting might be applied to security clearance determinations. Accessing password-protected and other non-publicly available social media content is contrary to SEAD 5 and the lesson learned from the “Bozeman Blunder.” PERSEREC produced a separate report, “Developing a Cybervetting Strategy for National Security Positions,” in part from the same study, but it is not available to the public.