By Glenn Kessler
Washington Post Staff Writer
Friday, July 4, 2008
Government workers repeatedly snooped without authorization inside the electronic passport records of entertainers, athletes and other high-profile Americans, a State Department audit has found. One celebrity's records were breached 356 times by more than six dozen people.
The audit, by State's inspector general, was prompted by the discovery in March that three of the department's contract workers had peeked at the private passport files of Sens. Barack Obama and John McCain and that a State Department trainee had examined the file of Sen. Hillary Rodham Clinton.
The report documented a widespread lack of controls on the personal data of the 127 million Americans who hold passports, finding numerous "weaknesses, including a general lack of policies, procedures, guidance and training." The State Department had maintained that its system worked when the candidates' passport breaches were discovered.
"This is unacceptable. The report makes it clear that the private information of over 100 million Americans is vulnerable to unauthorized access," said Sen Joseph R. Biden Jr. (D-Del.).
The audit also suggests that some workers were motivated by fascination with the private lives of celebrities, none of whom were identified. One employee told investigators he simply liked looking up the records of professional basketball players.
The inspector general made 22 recommendations for improving security, but many of them -- and much of the report -- were redacted because officials feared they would provide a road map to further abuse of the system.
Investigators found that 20,500 government workers and contractors had access to the electronic system that maintained the records. Most of them worked for the State Department or the Department of Homeland Security.
Five contractors already have been fired, and dozens of people are under investigation for alleged snooping that took place in offices across the United States and even overseas.
The 192 million passport files maintained by the State Department contain individuals' passport applications, which include data such as Social Security numbers, physical descriptions, and names and places of birth of the applicants' parents. Otherwise, the files provide limited information; they do not contain records of overseas travel or visa stamps from previous passports.
To test the extent of the snooping, investigators assembled a list of 150 famous Americans and checked how many times their files were accessed over a 5 1/2 -year period. Investigators found that the records of 127, or 85 percent, had been searched a total of more than 4,100 times.
The report said that "although an 85 percent hit rate appears to be excessive, the Department currently lacks criteria to determine whether this is actually an inordinately high rate."
But one official said there would be little reason to look at the files unless a passport was being renewed or information was being updated. "It should be zero or one time over five years for the normal average American," he said, speaking on the condition of anonymity.
Investigators developed the roster of high-profile people using names most frequently searched on Google in 2006 and 2007, supplemented by lists such as the Forbes 400 list of richest Americans and Sports Illustrated's "Fortunate 50" highest-paid athletes.
When the scandal erupted earlier this year, State Department officials suggested that the department maintained a list of "flagged files" to ensure that records of high-profile individuals were not breached. But investigators found that only 38 people were on the watch list, and there was no system or specific methodology for putting them there.
The watch list has since been expanded to more than 1,000 people, including all members of Congress, Supreme Court justices, senior administration officials, and entertainers, media personalities and sports figures.
State Department officials said they would implement almost all the report's recommendations -- including adding random audits of all passport files and cutting by half the number of people authorized to view the records -- and would discipline employees found to have violated privacy policies.
"We are reviewing the circumstances under which people looked at these records and we will take action," said Michael Kirby, a senior official with the State Department's Bureau of Consular Affairs, which handles passports. "If it's inappropriate access, we will take appropriate measures."
Privacy Act violations could result in misdemeanor penalties or fines if workers disclosed personal information to a third party not authorized to receive it. Another law, the Computer Fraud and Abuse Act, could result in criminal penalties for unauthorized access to government computer systems.
State Department officials said that if they discover that the breaches resulted in identity theft or other problems for passport holders, they will notify them and offer credit-protection services. But officials said there have been no reports that the information in the applications was improperly used.