CBP IA’s SAREX: Tomsheck’s program goes rogue – Pt. 4
The July Amnesty, again under the direction of Tomsheck and his handpicked IPD Director Corrado and Deputy Director Matta, also appears to be an example of CBP-IA case management gone wild. Under Tomsheck’s leadership, at least 700 cases, possibly many more, alleging various criminal acts by Border Patrol Agents and Customs Officers were grossly mismanaged by his handpicked administrators, Corrado and Matta. Some of these same security cases were more than three-years old before they either were lost by Corrado and Matta, hastily and unprofessionally closed, or otherwise discarded, all as the result of sloppy case management. More than one case allegedly was backdated.
The Assistant Commissioner at CBP IA, Tomsheck turned federal whistle blower in June 2014, after he was reassigned by CBP leadership from his position at CBP IA. At that time Tomsheck charged that CBP suffers from “institutional narcissism.” Naming specific CBP leaders who Tomsheck held responsible for multiple problems within CBP, Tomsheck also contends that rampant criminal behavior by Border Patrol Agents and Customs Officers reflects an institutional culture at CBP exceeding “constitutional constraints” (Andrew Becker, Ousted chief accuses border agency of shooting cover-ups, corruption, 14 August 2014.)
At first glance Tomsheck’s attempt in 2011 and 2012 to fashion the Suspicious Activity Reports Exploitation Initiative (SAREX) program appears a reasonable strategy to deter CBP employees from corruption and other criminal behavior (United States Government Accountability Office, Border Security: Additional Actions needed to Strengthen CBP Efforts to Mitigate Risk of Employee Corruption and Misconduct, GAO-13/59). Several studies document CBP Agents and Officers participation in a wide range of criminal behavior (United States Government Accountability Office, Border Patrol: Key Elements of New Strategic Plan Not Yet in Place to Inform Border Security Status and Resource Needs, GAO-13-25).
The goal of Tomsheck’s SAREX, although rarely coherently stated by CBP IA, is to improve its Background Investigations (BIs) and Periodic Investigations (PRs) of high risk CBP employees. This goal was to be achieved by collecting and analyzing data previously unavailable to CBP IA (BIs, conducted by CBP IA or its contractors, are required before the hiring of employees. PRs, conducted every five years, require the written consent of the CBP employee).
But by the time federal officials call for SAREX to shut down, DHS’s Privacy Office charges SAREX is out of compliance with DHS employee policy and also guilty of breaking multiple federal privacy laws.
Not only does SAREX far exceed its stated goal, but it also attempts to gather data on those CBP employees who are not on its original target list and who are very unlikely to engage in criminal behavior.
The list of CBP border employees whose personal data is be scrutinized by CBP IA quickly grows to an astounding 3,000 CBP employees.
Equaly troubling, a significant subset of these 3,000 CBP employees targeted by SAREX do not even work on the targeted region of the Mexican border and, therefore, should not even be on the SAREX list of those investigated. Instead these CBP employees may live and work in various locations in the United States, including Washington, D.C.
In short, Tomsheck’s SAREX goes rogue.
Corrado and Matta roll out SAREX
Upon being hired as the Assistant Commissioner at CBP IA in 2006, Tomsheck in his first year personally creates, staffs, funds, develops, and sets the objectives and goals for IPD.
According to Tomsheck’s CBP-IA Five Year Report, his Integrity Programs Division is, “…the research, analysis, and education component of the Office of Internal Affairs…” (James F. Tomsheck, CBP-IA Five Year Report, 31 December 2012). From one day to the next at their Integrity and Program Division (IPD), security analysts based in Washington, D.C. and at various field offices around the country investigate allegations of criminal behavior and/or misconduct of policy and procedures involving Border Patrol Agents and Custom Officers.
From the start, IPD’s SAREX is one of Tomheck’s creations.
IPD Security Analysts at CBP IA are first told about Tomsheck’s SAREX at their regular divisional meeting on 30 March 2011, by IPD Director Janine Corrado and Deputy Director Jeffrey Matta.
According to the IPD minutes, Corrado tells her security analysts that SAREX, “…is a new initiative with the FBI National Public Corruption Task Forces. FBI will be lead agency if case is initiated in conjunction with CBP_IA” (IPD Minutes, 30 March 2011).
The first group of CBP employees on the list is from the Rio Grande Valley in south Texas, “…who failed to complete their e-QIP in a timely manner. The targeting package will be submitted to the FBI task force who, in turn, will work with the CBP-IA agent assigned to the specific task force. There will be an FBI analyst (to be identified later) assigned to work at IPD as part-time” (Minutes, IPD Divisional Meeting, 30 March 2011, verbatim).
(An e-QIP is the Electronic Questionnaire for Investigation Procession system, an electronic form filled out by all potential CBP employees so that a background investigation may be conducted before hiring).
The IPD Security Analysts at CBP IA headquarters in Washington and at their field offices have never before heard of SAREX. The security analysts at IPD headquarters are not asked for either substantive input or feedback on this new SAREX program. Presented to the IPD Security Analysts as a full-blown CBP IA program already conceived, developed, and in operation, Corrado and Matta tell their Security Analysts that SAREX has the full blessing and oversight of their senior official at CBP IA, James Tomsheck.
The security analysts at IPD are also told on 30 March 2011, that SAREX, “…will be a 30 day pilot project…” (IPD Minutes, emphasis added).
Corrado tells her IPD staff that the stated purpose of SAREX is to provide additional data for pre-employment Background Investigations before hiring CBP employees. SAREX, in addition, will also collect data that will better inform Periodic Reinvestigations by CBP IA of CBP employees working along the Mexican border. IPD Security Analysts know that all CBP employees must have BIs before being hired. Given the rapid hiring at CBP as mandated by Congress in 2006, there is a real concern that some employees have already been hired who may be involved in graft and corruption including drug and human trafficking.
Under normal circumstances, PRs are conducted of CBP employees every five years. Before PRs are initiated, CBP IA must ask for the employees’ written consent.
By using the investigatory powers of the FBI, legal authority that CBP IA agents do not possess, SAREX will collect information from law enforcement data bases from which CBP IA has been excluded.
CBP IA agents who conduct investigations have limited policing powers including investigatory capabilities as designated by their assignments as 1801s. As 1801s, CBP Security Analysts are legally allowed to serve as researchers, to enforce laws and policies, and to assure general compliance with laws and policies. CBP IA Security Analysts, however, do not have the legal authority to conduct major criminal investigations.
FBI agents, on the other hand, have the investigatory powers of 1811s. As such they not only have the legal authority to conduct major criminal investigations and to arrest those accused of breaking federal laws, they also have access to FBI and other law enforcement data bases.
Because of limitations to their criminal investigatory capabilities, IPD Security Analysts are frequently limited to researching allegations against CBP employees involving sexual harassment, verbal discrimination, DUIs, disreputable associations, or other possible infractions of the law or CBP policies and procedures.
Allegations in cases against CBP employees, however, may also include homicide, sexual assaults, battery, and other crimes. These cases are supposed to be taken by, or draw the oversight of, the FBI, the Department of Justice, or some other agency with full policing powers including state departments of public safety and municipal police departments.
From Tomsheck’s perspective, partnering with the FBI makes very good sense. FBI agents can go where CBP IA security analysts cannot venture. But from the very start of SAREX, what concerns some IPD Security Analysts, all of whom were GS-14s with extensive experience in security matters, is the complete lack of information they are provided about how SAREX will operate on a day-to-day basis.
As presented by Corrado and Matta at their IPD meeting of 30 March 2011, the SAREX pilot project provides IPD Security Analysts with data from the FBI. As presented to the IPD staff, the FBI will provide extensive data on the personal bank records of suspected CBP employees who have a higher than average probability of criminal activity. The first CBP employees that SAREX will examine are those stationed along the Mexican border.
The FBI has legal authority, along with system access and cross-references, to request bank records describing transactions that exceed the $10,000 IRS deposit threshold. In addition, CBP employees who may have exceeded this threshold over a period of days, weeks, or months would also be scrutinized under SAREX.
IPD security analysts, data in hand, would then produce a Suspicious Activity Report of the CBP employee investigated. Under SAREX those CBP employees on the Mexican border with bank records showing deposits not explained by their annual incomes or other assets might be investigated further by IPD Security Analysts. They would determine if there were additional suspicious kinds of financial activity or behavior. Suspicious financial behavior that might raise a red flag to analysts includes CBP employees with expensive lifestyles or high priced gifts given by the CBP employee to family members.
Those CBP employees stationed along the Mexican border on the SAREX list, but shown by bank data and additional data collected by the FBI not to have any suspicious financial transactions or behavior, would presumably be dropped from the SAREX list.
The SAREX pilot held out the promise of generating data by which IPD could open a proactive case on a CBP employee. Most IPD cases examined by Security Analysts are reactive cases, allegations already made against employees. In a reactive case security analysts examine an allegation against an Agent or Officer who is accused of already committing an offense. But in a proactive case, suspicious activity could be monitored over time and perhaps provide additional information about criminal activity involving the CBP employee and/or others. In the best of outcomes, proactive cases might lead to stopping possible crimes before they take place as well as implicating other suspects previously unknown to authorities.
Some IPD Security Analysts, however, soon become alarmed at the SAREX announcement on 30 March 2011. Compared to other programs conducted by IPD, SAREX appears inadequately defined, more a concept or an idea than a functional, planned program already operational.
The IPD Security Analysts want to know the Standard Operating Procedures for SAREX. What, for instance, is the exact methodology for SAREX? How are names of CBP employees suspected of graft and corruption along the Mexican border actually to be selected? Who in specific will select these names? How is this employee information containing Personal Identifiable Information (PII) going to be transmitted from CBP IA to the FBI and back?
These Security Analysts are well aware that the Federal Privacy Act of 1974 provides strict controls over the uses of PII of all those whose data are stored in federal data systems.
Further, the IPD Security Analysts want to know SAREX’s stated protocols and procedures. What legal agreements and understandings are already in place with the FBI? What, in addition, are the stated objectives and goals of SAREX? What is its projected time frame beyond the 30-day pilot program? What are the metrics and professional standards against which SAREX will be objectively judged?
SAREX breaking bad
Beginning sometime in March 2011, and extending into December 2011, CBP IA sends the personally identifiable information (PII) of a list of CBP employees to the FBI. The PII includes Social Security numbers of the CBP employees targeted. In this instance, the stated purpose of requesting this information for the SAREX pilot project is to collect data otherwise unavailable on CBP employees undergoing five year required Periodic Reinvestigations.
The exact dates of these data requests by CBP IA to the FBI are unknown because it appears that accurate SAREX records are either not kept by IPD Directors Corrado and Matta or, if the records are maintained, then exact dates are not provided to DHS investigators. Soon after it is up and running, DHS begins a full investigation of SAREX (Memo, Marie Ellen Callahan, Chief Privacy Officer, U.S. Department of Homeland Security, to Jane Holl Lute, Deputy Secretary U.S. Department of Homeland Security, 18 July 2012 ).
When the CBP IA leadership, including Tomsheck and IPD Director Corrado and Assistant Director Matta, send PII data of CBP employees to the FBI, they fail, as feared by some IPD staff, “…to execute a Memorandum of Understanding, Memorandum of Agreement…” with the FBI or other required documents as required by Department of Homeland Security policy (Memo, Callahan).
Before the SAREX target list is sent to the FBI, the same CBP IA leadership also fails, “… to ascertain whether there was a legal authority for the sharing of employee information in the Pilot or whether the sharing was permissible…,” under the Federal Privacy Act and current DHS policy and procedures.
SAREX is announced to IPD security analysts on 20 March 2011, but by 29 September 2011 the Office of Inspector General at the Department of Homeland Security sends an investigative referral to DHS’s Privacy Office. In turn the Privacy Office’s Chief Privacy Officer, Mary Ellen Callahan, initiates on 26 October 2011, a full investigation into SAREX. Callahan’s report is then sent on 18 July 2012 to DHS Deputy Secretary Jane Holl Lute.
The objective of DHS’s Privacy Office investigation of SAREX is,“…to determine whether CBP IA’s sharing of information with the FBI through the SAREX Pilot was in compliance with DHS private policy and applicable law.”
The Chief Privacy Officer’s investigation has clearly delineated methodology and goals. There are, “…several meetings and interviews by my staff and me with CBP IA staff, including Directors, Deputy Directors, and the Assistant Commissioner, and the review of more than 1,300 pages of documents provided by CBP IA” (Memo, Callahan).
But very quickly the Chief Privacy Officer runs into a roadblock in her investigation of SAREX. “Determining what happened during the SAREX Pilot in terms of the information shared was complicated by the fact that witnesses including but not limited to the Assistant Commissioner provided my office with inconsistent statements throughout this investigation.”
“Assistant Commissioner” specifically refers to Tomsheck.
Callahan, DHS’ Chief Privacy Officer, goes on to say that, “My office’s investigation revealed a lack of oversight by CBP IA leadership to ensure that DHS policies governing the sharing of PII were adhered to in conducting the SAREX Pilot.”
Further, DHS’s Chief Privacy Officer states that IPD supervisors along with Tomsheck ignored, “…privacy concerns raised repeatedly about the Pilot.”
“IPD supervisors” specifically refers to Janine Corrado and Jeffrey Matta.
Repeatedly Callahan also observes that there are, “…CBP IA staff who questioned the legal authority for, and privacy implications of, the Pilot.” These CBP IA staff include, as suggested, IPD Security Analysts who identify multiple areas of SAREX that lacked clarity, cohesion, or forethought before SAREX was rolled out by Director Corrado and Deputy Director Matta.
The Chief Privacy Officer, further states that there was no legal authority for the SAREX Pilot…” (Memo, emphasis added).
Also SAREX has no, “…Standard Operating Procedures, and concern that PII be properly safeguarded” (Memo, emphasis added).
According to this same memo by the DHS Chief Privacy Officer, it is “unclear” if SAREX is even operational from June through September, 2011, because of a lack of certain SAREX records not made available to investigators.
Tomsheck, along with IPD’s Corrado and Matta, in fact did not bother even to contact the DHS Privacy office about the existence of the SAREX program until September, 2011. This is a full five months after the initial SAREX roll out in late March.
In a meeting with Tomsheck, the DHS Chief Privacy Officer Callahan identified a number of her concerns about SAREX.
But when SAREX reappeared in October, 2011, one month after the CBP IA leadership had been notified about numerous concerns by the DHS Privacy Office, none of the DHS Chief Privacy Officer’s legal concerns about SAREX had been implemented by either Tomsheck, IPD Director Corrado, or Deputy Director Matta.
Worse still, CBP IA leadership failed to notify the DHS Chief Privacy Officer of the apparent revival of SAREX during the month of October or the fact that CBP IA leadership then sent PII data of CBP employees to the FBI, “…on November 3, November 8, November 15, November 22, and December, 2011” (Memo).
The SAREX pilot was supposed to last thirty days. Instead SAREX is still in full stride nine months later. No metrics of SAREX are apparently taken or made available for review.
In nine months the SAREX list grows to 3,000 CBP employees!
On the SAREX target list of 3,000 CBP employees are 929 CBP employees who are never asked their written consent before their PII is sent to the FBI. All of these 929 federal employees, in short, are going through Periodic Reviews without being notified by their employer, CBP IA, that their PII even has been sent to the FBI.
Mysteriously, an additional 639 CBP employees are placed on the SAREX list of 3,000 even though they are not due for a Periodic Reinvestigation.
Even more puzzling, given the stated intentions of SAREX at its roll out, 30 percent of all CBP employees on the SAREX list of 3,000 sent to the FBI are not even working on the Mexican border. From its inception, the stated purpose of SAREX is to identify graft and corruption of CBP employees positioned along the Mexican border. Who put these names on the list? Why? No one seems to know.
Many other troubling questions about SAREX have no answers, states DHS Chief Privacy Officer Callahan, “…because there continue to be discrepancies in the data that call into question CBP IA’s data stewardship.”
Callahan concludes her investigation of SAREX by saying that the, “CBP IA had no documentation, no Standard Operating Procedures, no processes, and exceeded the stated scope of the pilot both in terms of impacted employees and location of impacted employees” (Memo, emphasis added).
It takes two to tango
In spite of the statements by IPD Corrado documented in IPD regular division meetings about partnering with the FBI, the FBI in fact never partners with the CBP IA to facilitate SAREX.
The FBI only receives the SAREX data regarding 3,000 CBP employees. But the FBI never sends back any data to CBP IA. Even when SAREX grows to a list of 3,000 names of CBP employees, there is no evidence to date that the FBI actually investigated any of these individuals. Perhaps knowing the FBI is not a participating partner to their SAREX program the leadership of CBP IA, “… neither sought nor received a response regarding any CBP employees from the FBI during the life of the Pilot (Memo).
The FBI does, however, respond “informally” to requests to investigate CBP employees on one occasion. In April 2011, the FBI sends CBP IA information about, “….9 or 10 CBP employees…” (Marisa Taylor, “Customs under fire for sweeping scans of employees personal data,” McClatchy DC, 8 July 2014).
Who these CBP employees are, what data are collected and sent to CBP IA about them, and the impact, if any, these SAREX data have upon their employment status and subsequent careers at CBP remain unknown.
Tomsheck’s response to the investigation of SAREX
DHS’ Chief Privacy Officer Callahan notes in her investigation of Tomsheck’s SAREX that, “CBP IA did not comply with Department privacy policy or information sharing policy.” She goes on to say that, “Even if the Pilot never recommences, however, the issues I have identified above, coupled with CBP IA leadership’s response to questions concerning the compliance issues noted above concerning the SAREX Pilot, causes me great concern” (Memo).
Callahan also specifically expresses great concern about Tomsheck’s response to her investigation of his SAREX program. “During my meeting with the Assistant Commissioner on April 26, 2012, the Assistant Commissioner seemed to believe that CBP IA’s mission exempts it from following applicable privacy law and DHS privacy policy. I believe this attitude is likely to result in a culture of non-compliance in CBP IA (Memo, emphasis added).
Equally troubling, Tomsheck tells Callahan that he has every intention of conducting programs at CBP IA in the future that are similar to SAREX .
Tomsheck remains true to his word about other CBP IA programs with the identical or similar objectives as SAREX.
Callahan reports that, “On May 10, 2012, the Assistant Commissioner told me that CBP IA is already engaging in such activities outside the Pilot” (Memo,emphasis added).
SAREX disappears
SAREX has virtually disappeared from the public record.
Since James Tomsheck sought protection last under the Whistleblowers Act of 1989, he has made no public statements.
According to an internal communication, IPD Director Janine Corrado recently received a promotion to the position of Chief of Staff for Gregory Marshall, Chief Security Officer at the Department of Homeland Security. Jeffrey Matta, according to another internal communication, has also been reassigned from IPD and is set to take a position in CBP’s Office of Field Operations.
While providing a tour last week of the border wall near Hidalgo, Texas, the Border Patrol Agent in charge of the Public Affairs Office for CBP in the Rio Grande Valley of Texas appeared confused when asked about SAREX. CBP employees in the Rio Grande Valley are the first to be targeted by SAREX as outlined by IPD Director Corrado and Deputy Director Matta in their meeting in late March, 2011.
Agent Oscar Saldana, who has been stationed as a CBP employee in the Rio Grande Valley for seventeen years, is asked, “What do you know about SAREX?” When Saldana hesitates to respond, he is given a brief description of SAREX.
Looking puzzled, Saldana replies, “Never heard of it.”
— Read more in Robert Lee Maril, “Vet alleges supervisors at CBP IA ignored his disability: ‘He Just needed an ounce of compassion’” — Pt. 1, HSNW, 28 October 2014; Maril, “James F. Tomscheck forced disabled veteran from CBP IA” – Pt. 2, HSNW, 24 November 2014; and Maril, “Tomsheck’s ‘July Amnesty’: CBP IA loses hundreds of cases alleging criminal activity by CBP Employees” — Pt.3, HSNW, 12 January 2015
Robert Lee Maril, a professor of Sociology at East Carolina University, is the author of The Fence: National Security, Public Safety, and Illegal Immigration along the U.S.-Mexico Border. He blogs at leemaril.com.