Intelligence Gap: How a Chinese National Gained Access to Arizona’s Terror Center
The un-vetted computer engineer plugged into law enforcement networks and a database of 5 million Arizona drivers in a possible breach that was kept secret for years.
by Ryan Gabrielson, ProPublica and Andrew Becker, Center for Investigative Reporting, illustration by David Sleight, ProPublica
Lizhong Fan’s desk was among a crowd of cubicles at the Arizona Counter Terrorism Information Center in Phoenix. For five months in 2007, the Chinese national and computer programmer opened his laptop and enjoyed access to a wide range of sensitive information, including the Arizona driver’s license database, other law enforcement databases, and potentially a roster of intelligence analysts and investigators.
The facility had been set up by state and local authorities in the aftermath of the 9/11 terror attacks, and so, out of concerns about security, Fan had been assigned a team of minders to watch him nearly every moment inside the center. Fan, hired as a contract employee specializing in facial recognition technology, was even accompanied to the bathroom.
However, no one stood in Fan’s way when he packed his equipment one day in early June 2007, then returned home to Beijing.
Lizhong Fan’s Chinese passport.
There’s a lot that remains mysterious about Fan’s brief tenure as a computer programmer at the Arizona counterterrorism center. No one has explained why Arizona law enforcement officials gave a Chinese national access to such protected information. Nor has anyone said whether Fan copied any of the potentially sensitive materials he had access to.
But the people responsible for hiring Fan say one thing is clear: The privacy of as many as 5 million Arizona residents and other citizens has been exposed. Fan, they said, was authorized to use the state’s driver’s license database as part of his work on a facial recognition technology. He often took that material home, and they fear he took it back to China.
Under Arizona law, then-Gov. Janet Napolitano and Maricopa County Sheriff Joe Arpaio, whose agencies admitted Fan into the intelligence center, were required to disclose to the public any “unauthorized acquisition and access to unencrypted or unredacted computerized data” that includes names and other personal information.
To this day, they have not.
Terry Goddard, attorney general of Arizona in 2007, said Fan’s access and disappearance should have been reported to his office, but it was not. Arizona law puts the attorney general in charge of enforcing disclosure.
The state was supposed to have scrubbed drivers' names and addresses from the license data. State officials denied requests to discuss the extent of the data breach, including what personal information was in the files.
In fact, a review of records shows that David Hendershott, who was second-in-command at the sheriff’s office, moved aggressively to maintain silence, a silence that has now lasted some seven years. Two weeks after Fan departed, Hendershott directed others in writing not to discuss Fan and the possible breach. In an email to the outside contractor that had hired Fan, Hendershott wrote: “Keep this between us and only us.”
Even among administrators at the Phoenix center, very few learned that the Chinese programmer had left the country or that their own personal information might have traveled with him. Mikel Longman, the former criminal investigations chief at the Arizona Department of Public Safety, said he received no warning about the incident.
“That really is outrageous,” Longman said. “Every Arizona resident who had a driver’s license or state-issued ID card and all that identifying stuff is potentially compromised. That’s a huge breach.”....
The Center for Investigative Reporting and ProPublica collaborated on this story. Ryan Gabrielson is a former CIR reporter who has since moved to ProPublica. To learn more about CIR and ProPublica, visit cironline.org and propublica.org.
No comments:
Post a Comment