The U.S. Department of State inspector general's office has recommended criminal prosecution for five employees or contractors who accessed electronic passport records without permission, but two U.S. senators on Thursday called for more criminal cases to be filed.
Senators Patrick Leahy, a Vermont Democrat, and Arlen Specter, a Pennsylvania Republican, both urged the inspector general's office to refer more cases to the U.S. Department of Justice for prosecution following reports this year of massive snooping into passport files at the State Department.
"I think some well-placed prosecutions ... would be as much of a deterrent as you can imagine," Leahy said Thursday at a Senate Judiciary Committee hearing.
Senators raised concerns that the State Department can't easily pinpoint what electronic passports have been accessed without authorization, making it nearly impossible for the agency to notify individuals who've had their personal data breached. The U.S. electronic passport system contains personal information such as place of birth and Social Security numbers for about 127 million U.S. residents.
In March, news agencies reported that private contractors working with the State Department had accessed without authorization the electronic passport files of three presidential candidates, Senators John McCain, Barack Obama and Hillary Clinton. Five contractors have been fired since then.
Those news stories prompted a State Department inspector general's (IG's) investigation, and last week, the IG office released a report showing widespread breaches of the agency's Passport Information Electronic Records System, or PIERS. The IG looked at the passport files of 150 politicians, entertainers and athletes, and found that 127 of those passports had been accessed at least once between September 2002 and March 2008.
Those 217 passport files were accessed a total of 4,148 times during that timeframe. One person's passport was searched 356 times by 77 users, Leahy said. PIERS has about 20,500 users.
Some of those passport searches were likely authorized and part of official government business, but many were likely unauthorized, said Harold Geisel, acting IG at the State Department. If the access was unauthorized, it could violate criminal laws related to computer fraud and abuse, he said.
PIERS does not ask users why they are accessing a passport holder's record, a State Department official said. The IG report found "many control weaknesses" in PIERS, Geisel said.
Specter grilled IG officials, asking them if they had followed up on the referrals of criminal cases to the Justice Department. When Geisel said his office had not followed on the status of those cases, Specter demanded a report back to the Judiciary Committee within 30 days. He also sounded surprised that the IG's office had turned over the names of only five people to be prosecuted.
More prosecutions are likely, Geisel said.
"This has to be followed up," Specter said. "This is the responsibility of the State Department."
Specter also asked if the IG had determined the reason for the passport file access. In most cases, it appeared to be simple "snooping," Geisel said, but the IG's office remains concerned about other motivations, such as identity theft. "That is our greatest worry," he said.
Specter then asked whether the IG's office had notified any of the 127 people whose passport files were found to be compromised, in order to determine whether they have been victims of ID theft. The IG's office has begun to contact those people, and so far has not found cases of ID theft, Geisel said.
The inspector general's report included 22 recommendations for the State Department to improve passport security. But much of the report wasn't released to the public, including 16 of the 22 recommendations.
Marc Rotenberg, executive director of the Electronic Privacy Information Center, criticized the State Department for redacting the report, saying the public needs to know if the steps the agency is following are sufficient to protect their privacy.
But keeping parts of the report from public view was necessary, said Tom Burgess, director of congressional and public affairs for the State Department Office of Inspector General. Making all the recommendations public would have given a "road map for potential criminal behavior or mischief," he said. "It would have provided a road map not only on how to continue to misbehave, but to misbehave and get away with it."
The State Department has agreed with 19 of the 22 recommendations and partially agreed with another.