As a result of its information retention practices related to privacy and the First Amendment, the Maine Information and Analysis Center (MIAC), housed within the Department of the Maine State Police, has previously been the subject of controversy. While two privacy audits conducted in the past year by the MIAC’s advisory board claim the center has addressed those practices, a report released by a group of privacy and criminology experts questions their conclusions.
The center is part of a national network of so-called “fusion centers” that sprung up in the wake of the 9/11 terrorist attacks to facilitate information sharing between law enforcement agencies at the state and federal levels.
The center partners with the Maine State Police, the Maine Emergency Management Agency, the Department of Homeland Security, the Federal Bureau of Investigation, U.S. Border Patrol, the Franklin and Kennebec County Sheriff’s Offices, the Maine Army National Guard, the Department of Justice’s National Drug Intelligence Center, the Maine Secretary of State, and the Maine Department of Corrections.
It was created by executive order in 2006 by then-governor John Baldacci. Per the executive order, the MIAC is charged with prioritizing and analyzing relevant Homeland Security information, coordinating interagency participation, receiving and sharing intelligence, and making recommendations to the governor and state Homeland Security Advisory Council.
The order also directs the MIAC to “conform to all existing rules and statutes related to the handling of sensitive intelligence information,” including rules outlined in the federal regulatory code.
The MIAC’s own self-created privacy policy, effective as of March 20, 2019, contains more specific rules about how it should protect individual interests, including privacy, civil rights and civil liberties while acquiring and analyzing information.
The center is only supposed to seek, retain, and share information that is based on a “criminal predicate or possible threat to public safety,” is “based on a reasonable suspicion that an identifiable individual or organization has committed a criminal offense or is involved in or planning criminal conduct or activity,” is “relevant to the investigation and prosecution of suspected criminal incidents,” or is “useful in a crime analysis or in the administration of criminal justice and public safety.”
That information must also be collected from a reliable, verifiable source and collected in a fair and lawful manner. Per its privacy policy, the MIAC is also required to purge criminal intelligence information, unless it is “reviewed and validated,” at least every five years.
But records leaked in 2020 and whistleblower allegations suggest the MIAC has not always maintained those policies.
George Loder, then a Maine State Trooper, accused the MIAC in May 2020 of violating its privacy laws and of retaining and sharing the personal information of individuals not suspected of any crime. According to a court case Loder brought against the MIAC, when he was on temporary assignment with the MIAC while serving on the FBI’s Joint Terrorism Task Force, he learned the MIAC uses minor offenses as a pretext to conduct background checks, monitor social media accounts of individuals who have participated in lawful protests, and retain that data despite no evidence of criminal wrongdoing.
As part of the suit, Loder said he learned the MIAC retains information collected by automatic license plate recognition systems and shared by law enforcement agencies in other states, and records information collected by the Maine State Police as part of background checks conducted on lawful gun owners.
Loder claimed he was demoted in retaliation for raising concern about these practices with various other law enforcement agencies in the MIAC’s intelligence network. Loder’s lawsuit also claimed the agency had violated the federal Privacy Act of 1974, which governs how federal agencies can collect, maintain, use, and disseminate information in federally-maintained databases.
The officers against whom Loder’s complaints were directed claimed they were entitled to qualified immunity on charges they had violated the Privacy Act. A federal judge for the U.S. District Court for Maine dismissed the case in March 2021, in part ruling Loder lacked standing on the grounds the Privacy Act does not apply to state officials. The judge also ruled the officers were entitled to qualified immunity.
While the substance of Loder’s accusations were never addressed, a 2020 database breach that was subsequently published on Blueleaks, a website associated with the “hacktivist” group Anonymous, produced documents that backed up some of Loder’s claims, including those related to license plate readers and surveillance of protected First Amendment activity.
The controversy led the legislature to debate LD 1278, a bill that would have closed the MIAC. The House of Representatives voted on June 15, 2021 to insist on its vote to advance the bill, but the Senate voted the same day to insist on its vote to accept the majority ought not to pass report from the Committee on Criminal Justice and Public Safety. The disagreement between the chambers resulted in the bill’s death.
The legislature did pass LD 12, which requires the MIAC to submit an annual legislative report documenting the “types of cases, crimes, incidents and reports the center has reviewed and evaluated in a manner that protects personal privacy and the integrity of the work of the center.” The law, signed on June 11, 2021, also requires the report to include a privacy audit with de-identified information.
The MIAC’s annual report for 2021 is only five pages long and contains data on the number of requests for information sharing the center received, as well as the number of entries it made into various law enforcement databases.
Similarly, its privacy audit contains copies of questionnaires filled out by individual auditors who reviewed MIAC records. The audit is conducted by the MIAC Director, the MIAC Compliance Officer, the MIAC’s privacy, civil liberties, and civil rights officer, the public member of the MIAC’s advisory board and a board member selected by its chair. The audit includes a review of 10 records selected at random and 10 records selected by each of the board members.
The audit also includes questions flagged for further discussion with the center’s advisory board.
As part of the most recent audit, covering the period between August 1, 2021 and December 31, 2021, the audit found “no evidence of nonconformance by the MIAC” with their privacy policy.
However, the audit also flagged several questions surrounding monitoring of First Amendment activities as topics needing further discussion, including whether threatening or hate speech is protected speech, a topic that was flagged during the audit covering the period between January 1, 2021 and July 31, 2021.
The audit also suggested the advisory board needed to further discuss the potential of First Amendment protected protests occurring “on the private property of a public employee.”
With certain specific exceptions, both hate and threatening speech are widely recognized as constitutionally protected speech. These questions, plus documented issues with the retention of information directly related to criminal activity, have led some to question whether the MIAC’s privacy practices are as above board as the report claims.
This includes the authors of a “shadow report” released on April 1, 2022, which addresses shortcomings in the MIAC’s audit process. The report’s authors include a social worker, a privacy advocate, a monitoring and evaluating professional, a criminology professor at the University of Southern Maine, and a Maine Law student.
The group called the MIAC’s oversight “flawed” and said its advisory board, which is exempt from the state’s public records laws, “is made up of individuals who are largely unaccountable to the public at large or who lack the necessary expertise to provide meaningful oversight.”
Given what BlueLeaks revealed about the MIAC’s failure to properly dispose of information, especially when related to protected First Amendment activities, the report also raises concerns about the thoroughness of the audit process.
“The Advisory Board audits a random selection of documents and, as such, avoids scrutinizing many of the documents that pose the greatest risk to privacy and other civil liberties,” the report states.