Gill et al v. Department of Justice et al
Filing
1
COMPLAINT for Declaratory and Injunctive Relief against Department of Justice, Eric H. Holder, Jr, Kshemendra Paul, Program Manager - Information Sharing Environment (Filing fee $ 400.00, receipt number 0971-8757477.). Filed by James Prigoff, Wiley Gill, Khaled Ibrahim, Aaron Conklin. (Attachments: # 1 Civil Cover Sheet)(Loeb, Jonathan) (Filed on 7/10/2014) Modified on 7/10/2014 (gbaS, COURT STAFF).
1
2
3
4
5
6
7
8
9
10
11
12
13
BINGHAM MCCUTCHEN LLP
Jonathan Loeb (#162758) jonathan.loeb@bingham.com
Jeffrey Rosenfeld (#221625) jeffreyrosenfeld@bingham.com
Edward Andrews (#268479) edward.andrews@bingham.com
The Water Garden, Suite 2050 North
1601 Cloverfield Boulevard
Santa Monica, CA 90404-4082
Telephone: 310-907-1000
Facsimile: 310-907-2000
AMERICAN CIVIL LIBERTIES UNION FOUNDATION
OF NORTHERN CALIFORNIA
Linda Lye (#215584) llye@aclunc.org
Julia Harumi Mass (#189649) jmass@aclunc.org
39 Drumm Street
San Francisco, CA 94111
Telephone: 415-621-2493
Facsimile: 415-255-8437
ASIAN AMERICANS ADVANCING
JUSTICE - ASIAN LAW CAUCUS
Nasrina Bargzie (#238917) nasrinab@advancingjustice-alc.org
Yaman Salahi (#288752) yamans@advancingjustice-alc.org
55 Columbus Avenue
San Francisco, CA 94111
Telephone: 415-848-7711
Facsimile: 415-896-1702
14
Attorneys for PlaintiffsWiley Gill, James Prigoff, Tariq Razak,
Khaled Ibrahim, and Aaron Conklin
15
Additional counsel listed on signature page
16
UNITED STATES DISTRICT COURT
NORTHERN DISTRICT OF CALIFORNIA
SAN FRANCISCO-OAKLAND DIVISION
17
18
19
20
WILEY GILL; JAMES PRIGOFF; TARIQ
RAZAK; KHALED IBRAHIM; and AARON
CONKLIN,
No. __________________
Plaintiffs,
COMPLAINT FOR DECLARATORY
AND INJUNCTIVE RELIEF
21
v.
22
DEPARTMENT OF JUSTICE; ERIC H.
HOLDER, Jr., in his official capacity as the
Attorney General of the United States;
PROGRAM MANAGER - INFORMATION
SHARING ENVIRONMENT; KSHEMENDRA
PAUL, in his official capacity as the Program
Manager of the Information Sharing
Environment,
23
24
25
26
Administrative Procedure Act Case
Defendants.
27
28
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
1
2
INTRODUCTION
1.
This complaint challenges a widespread domestic surveillance program that
3
targets constitutionally protected conduct and encourages racial and religious profiling.
4
Plaintiffs are five United States citizens – two photographers, one white man who is a devout
5
Muslim, and two men of Middle Eastern and South Asian descent. They engaged in innocuous,
6
lawful, and in some cases First Amendment protected activity. Two were photographing sites of
7
aesthetic interest, one was likely viewing a website about video games inside his home, one was
8
buying computers at Best Buy, and another was standing outside a restroom at a train station
9
while waiting for his mother. Due to the standards issued by Defendants that govern the
10
reporting of information about people supposedly involved in terrorism, Plaintiffs were reported
11
as having engaged in “suspicious activities,” reports about them were entered into
12
counterterrorism databases, and they were subjected to unwelcome and unwarranted law
13
enforcement scrutiny and interrogation. Defendants’ unlawful standards for maintaining a
14
federal law enforcement database regarding such supposedly “suspicious” activities have not
15
yielded any demonstrable benefit in the fight against terrorism, but they have swept up innocent
16
Americans in violation of federal law.
17
2.
Through the National Suspicious Activity Reporting Initiative (“NSI”), the federal
18
government encourages state and local law enforcement agencies as well as private actors to
19
collect and report information that has a potential nexus to terrorism in the form of so-called
20
Suspicious Activity Reports (“SARs”). SARs are collected and maintained in various
21
counterterrorism databases and disseminated to law enforcement agencies across the country.
22
An individual who is reported in a SAR is flagged as a person with a potential nexus to terrorism
23
and automatically falls under law enforcement scrutiny, which may include intrusive questioning
24
by local or federal law enforcement agents. Even when the Federal Bureau of Investigation
25
concludes that the person did not have any nexus to terrorism, a SAR can haunt that individual
26
for decades, as SARs remain in federal databases for up to 30 years.
27
28
3.
Defendants Department of Justice (“DOJ”) and Program Manager of the
Information Sharing Environment (“PM-ISE”) have issued standards governing the types of
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
2
1
information that should be reported in a SAR. Both standards authorize the collection,
2
maintenance, and dissemination of information, in the absence of any reasonable suspicion of
3
criminal activity. Defendants have also identified specific categories of behavior that they claim
4
satisfy each agency’s standard and should be reported as suspicious. These behavioral categories
5
range from the constitutionally protected (photographing infrastructure) to the absurd (“acting
6
suspiciously”).
7
4.
Defendants’ standards conflict with a duly promulgated regulation of Defendant
8
DOJ that prohibits the collection, maintenance, and dissemination of criminal intelligence
9
information, unless there is reasonable suspicion of criminal activity. See 28 C.F.R. § 23 (1993).
10
The regulation’s reasonable suspicion requirement reflects the constitutional principle that law
11
enforcement should not take action against someone, unless there is good reason to believe
12
criminal activity is afoot. Neither of Defendants’ standards for reporting suspicious activity was
13
promulgated in accordance with the notice and comment requirements of the Administrative
14
Procedure Act (“APA”), 5 U.S.C. § 551 et seq. (2012). As a result, Defendants’ issuance and
15
implementation of standards for suspicious activity reporting violate federal statutory
16
requirements that agencies not act in an arbitrary and capricious manner and observe the
17
procedures required by law. Through this action for declaratory and injunctive relief, Plaintiffs
18
seek to set aside as unlawful Defendants’ standards for suspicious activity reporting.
19
20
PARTIES
5.
Plaintiff Wiley Gill is a United States citizen and a custodian at California State
21
University, Chico (“Chico State”). Mr. Gill converted to Islam while he was a student at Chico
22
State. He resides in Chico, California. He is the subject of a SAR, attached as Appendix A to
23
this Complaint. The SAR was uploaded to eGuardian, a law enforcement database maintained
24
by the FBI. The SAR identifies Mr. Gill as a “Suspicious Male Subject in Possession of Flight
25
Simulator Game.” Mr. Gill was likely viewing a website about video games on his computer at
26
home, when two officers of the Chico Police Department entered and searched his home without
27
voluntary consent or a warrant based on probable cause.
28
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
3
1
6.
Plaintiff James Prigoff is a United States citizen and an internationally renowned
2
photographer of public art. Mr. Prigoff resides in Sacramento, California. Private security
3
guards warned Mr. Prigoff not to photograph a piece of public art called the “Rainbow Swash” in
4
Boston, Massachusetts. As a result of that encounter, an agent of the Federal Bureau of
5
Investigation (“FBI”) went to Mr. Prigoff’s home in Sacramento several months later and
6
questioned at least one neighbor about him. Upon information and belief, Mr. Prigoff is the
7
subject of a SAR or SAR precursor report.
8
9
7.
Plaintiff Khaled Ibrahim is a United States citizen of Egyptian descent who works
as an accountant for Nordix Computer Corporation, a computer network consulting and service
10
company. He formerly worked as a purchasing agent for Nordix. Mr. Ibrahim resides in San
11
Jose, California. Mr. Ibrahim is the subject of a SAR, attached as Appendix B to the Complaint.
12
The SAR describes a “[s]uspicious attempt to purchase large number of computers.” Mr.
13
Ibrahim attempted to make a bulk purchase of computers from a Best Buy retail store in Dublin,
14
California, in his capacity as a purchasing agent for Nordix. The SAR was uploaded to
15
eGuardian, a law enforcement database maintained by the FBI. Dublin is located in Alameda
16
County, California.
17
8.
Plaintiff Tariq Razak is a United States citizen of Pakistani descent. A graduate
18
of the University of California at Irvine, he works in the bio-tech industry. Mr. Razak resides in
19
Placentia, California. Mr. Razak is the subject of a SAR, attached as Appendix C to this
20
Complaint. The SAR identifies Mr. Razak as a “Male of Middle Eastern decent [sic] observed
21
surveying entry/exit points” at the Santa Ana Train Depot and describes him as exiting the
22
facility with “a female wearing a white burka head dress.” Mr. Razak had never been to the
23
Depot before and was finding his way to the county employment resource center, which is
24
located inside the Depot and where he had an appointment. The woman accompanying him was
25
his mother.
26
9.
Plaintiff Aaron Conklin is a graphic design student and amateur photographer.
27
He resides in Vallejo, California. Private security guards have twice prevented Mr. Conklin
28
from taking photographs of industrial architecture from public locations. One such incident
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
4
1
occurred outside the Shell refinery in Martinez, California, and resulted in Mr. Conklin being
2
detained and having his camera and car searched by Contra Costa County Sheriff’s Deputies,
3
who told Mr. Conklin that he would be placed on an “NSA watchlist.” Upon information and
4
belief, Mr. Conklin is the subject of a SAR. Martinez is located in Contra Costa County,
5
California.
6
10.
Defendant DOJ is a federal agency within the meaning of the APA, 5 U.S.C. §
7
551(1). DOJ, through its components, has issued a standard governing SAR reporting, conducts
8
trainings on that standard, and plays a major role in implementing the NSI.
9
11.
The FBI is a component of DOJ with both intelligence and law enforcement
10
responsibilities. The FBI has issued a standard governing the reporting of SARs, and trains law
11
enforcement and private sector personnel on its SAR reporting standard. The FBI oversees and
12
maintains the eGuardian system, which serves as a repository for SARs and allows thousands of
13
law enforcement personnel and analysts across the country to access SARs in the eGuardian
14
system. The FBI is one of the primary entities responsible for the NSI.
15
12.
The Office of Justice Programs (“OJP”) was created pursuant to 42 U.S.C. § 3711
16
(2012) and is a component of Defendant DOJ. OJP administers grants to state and local law
17
enforcement entities. Upon information and belief, OJP funding supports, among other things,
18
entities that engage in the collection, maintenance, and dissemination of SARs, and systems that
19
collect, maintain, and disseminate SARs.
20
13.
The Bureau of Justice Assistance (“BJA”), within OJP, provides assistance to
21
local criminal justice programs through policy, programming, and planning. BJA served as the
22
executive agent of the NSI until October 2013. BJA has issued a standard governing the
23
reporting of SARs, and conducts trainings on its SAR reporting standard.
24
14.
The Program Management Office (“PMO”), also a component of DOJ, has played
25
a key role in implementing the NSI. On December 17, 2009, DOJ was named the executive
26
agent to establish and operate the PMO for the NSI. In March 2010, DOJ established the NSI
27
PMO within BJA to support nationwide implementation of the SAR process.
28
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
5
1
15.
Defendant Eric Holder is the Attorney General of the United States and as the
2
head of DOJ is responsible for the regulations, guidelines, and standards adopted by DOJ. He is
3
sued in his official capacity.
4
16.
Defendant PM-ISE is a federal agency within the meaning of the APA, 5 U.S.C. §
5
551(1) (2012). Pursuant to the Intelligence Reform and Terrorism Prevention Act of 2004
6
(“IRTPA”), PM-ISE is charged with issuing uniform standards for sharing terrorism and
7
homeland security information across federal, state, and local governments. 6 U.S.C. § 485
8
(2012). PM-ISE has issued a standard governing SAR reporting and conducts trainings on that
9
standard. PM-ISE’s standard for SAR reporting is set forth in “Information Sharing
10
Environment (ISE) - Functional Standard (FS) - Suspicious Activity Reporting (SAR) Version
11
1.5” (“Functional Standard 1.5”), which the agency issued in May 2009. Functional Standard
12
1.5 is attached as Appendix D to this Complaint.
13
17.
Defendant Kshemendra Paul occupies the office of the PM-ISE, is the head of
14
PM-ISE, and is responsible for the regulations, guidelines, and standards adopted by PM-ISE.
15
He is sued in his official capacity.
16
JURISDICTION AND VENUE
17
18.
This is an action under the APA, to set aside agency actions because they are
18
arbitrary and capricious, an abuse of discretion, and not in accordance with law, and because
19
they are without observance of procedure required by law. See 5 U.S.C. § 706 (2)(A), (D)
20
(2012). This Court has subject matter jurisdiction pursuant to 28 U.S.C. § 1331 and § 1349
21
(2012).
22
23
24
19.
The Court has authority to grant declaratory relief pursuant to the Declaratory
Judgment Act, 28 U.S.C. § 2201 and § 2202 (2012).
20.
Venue is proper in this district pursuant to 28 U.S.C. § 1391(e) (2012) because
25
Defendants are agencies of the United States and officers of the United States sued in their
26
official capacities, a substantial part of the events or omissions giving rise to this action occurred
27
in this district, including Alameda and Contra Costa Counties, and one or more plaintiffs reside
28
in this district.
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
6
1
INTRADISTRICT ASSIGNMENT
2
21.
Pursuant to Local Rule 3-2(c) and (d), assignment to the San Francisco-Oakland
3
Division is proper because a substantial part of the events giving rise to this action occurred in
4
Alameda and Contra Costa Counties.
5
6
7
FACTUAL ALLEGATIONS
A.
The Nationwide Suspicious Activity Reporting Initiative
22.
The federal government created the NSI to facilitate the sharing of information
8
potentially related to terrorism across federal, state, local, and tribal law enforcement agencies.
9
In particular, the NSI creates the capability to share reports of information with a potential nexus
10
11
to terrorism, which have been dubbed Suspicious Activity Reports.
23.
Fusion centers are focal points of the system for sharing SARs. There are
12
currently 78 fusion centers nationwide. They are generally, though not always, owned and
13
operated by state or local government entities. Fusion centers receive federal financial support,
14
including from OJP.
15
24.
Defendants PM-ISE and DOJ train state, local, and tribal law enforcement
16
agencies as well as private entities to collect information about activities with a potential nexus
17
to terrorism based on the standard each agency has adopted, and to submit the information in the
18
form of a SAR, either to a fusion center or the FBI.
19
25.
Fusion centers gather, receive, store, analyze, and share terrorism and other
20
threat-related information, including SARs. On information and belief, fusion centers collect,
21
maintain, and disseminate SARs through databases that receive financial support from OJP.
22
26.
Defendants train fusion center analysts in their respective standards for SAR
23
reporting. Fusion center analysts review submitted SARs. If a SAR meets Defendants’
24
standards, it is uploaded to one or more national databases, such as the FBI’s eGuardian system,
25
where it can be accessed by the FBI and law enforcement agencies across the country. The
26
federal government maintains SARs sent to the FBI’s eGuardian system for 30 years. This is
27
done even when the FBI determines that the SAR has no nexus to terrorism. See Functional
28
Standard 1.5 at 34, 53; United States Government Accountability Office, “Information Sharing:
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
7
1
Additional Actions Could Help Ensure That Efforts to Share Terrorism-Related Suspicious
2
Activity Reports Are Effective” at 7 (March 2013) (“GAO SAR Report”).
3
27.
Pursuant to the process created by Defendants PM-ISE and DOJ for suspicious
4
activity reporting, individuals who are the subject of a SAR are automatically subjected to law
5
enforcement scrutiny at multiple levels of government. That scrutiny may include, but is not
6
limited to, follow-up interviews and other forms of investigation by law enforcement. For
7
example:
8
(a) At the initial response and investigation stage, and even before a SAR is
9
submitted to a fusion center or the FBI, Defendant PM-ISE instructs the federal,
10
state, local, or tribal law enforcement agency with jurisdiction to respond to the
11
reported observation by “gather[ing] additional facts through personal
12
observations, interviews, and other investigative activities. This may, at the
13
discretion of the [responding] official, require further observation or engaging the
14
suspect in conversation.” Functional Standard 1.5 at 32.
15
(b) Fusion center personnel “tak[e] steps to investigate SARs – such as
16
interviewing the individual engaged in suspicious activity or who witnessed
17
suspicious activity – before providing the SARs to the FBI.” GAO SAR Report at
18
16. Officials from fusion centers do investigative work as part of their vetting
19
process. Id. at 17.
20
(c) The FBI reviews all SARs that it receives from fusion centers for follow-up.
21
That follow-up can take the form of an interview with the subject of the SAR, and
22
includes, but is not limited to, engaging in a threat assessment of or opening an
23
investigation into the subject.
24
(d) FBI agents have admitted that they are required to follow-up on SARs, even
25
when they know the individual does not pose a threat. For example, a
26
professional freelance photographer in Los Angeles, California who specializes in
27
industrial photography, has twice been interviewed by the FBI after
28
photographing industrial sites. After security guards instructed him not to
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
8
1
photograph certain industrial sites in the area of the Port of Long Beach in April
2
2008, FBI agents visited him at his home to question him about the incident. The
3
FBI contacted him again, after Los Angeles Sheriff’s Department personnel
4
interfered with his efforts to photograph another industrial site in approximately
5
December 2009. The FBI agent told the photographer that he knew the
6
photographer did not pose a threat but that because a report had been opened, he
7
was required to follow-up on it.
8
(e) As explained above, SARs that have been uploaded to a national database can
9
be accessed by law enforcement agencies nationwide. Once uploaded to a
10
national database, the subject of a SAR faces scrutiny and potential investigation
11
by one or more of the law enforcement agencies across the country that has access
12
to the database. That scrutiny is only increasing, as queries of national SAR
13
databases have dramatically jumped in recent years. The number of queries of
14
national SAR databases such as eGuardian has risen from about 2,800 queries as
15
of July 2010 to more than 71,000 queries as of February 2013. See GAO SAR
16
Report at 36.
17
28.
This surveillance program has not proven effective in the fight against terrorism.
18
The United States Government Accountability Office (“GAO”) has faulted the program for
19
failing to demonstrate any results-oriented outcomes, such as arrests, convictions, or thwarted
20
threats, even though tens of thousands of SARs had been deemed sufficiently significant to be
21
uploaded to national SAR databases as of October 2012. See GAO SAR Report at 33, 36-38. In
22
2012, a Senate Subcommittee reviewed a year of similar intelligence reporting from state and
23
local authorities, and identified “dozens of problematic or useless” reports “potentially violating
24
civil liberties protections.” United States Senate, Permanent Subcommittee on Investigations,
25
Committee on Homeland Security and Governmental Affairs, “Federal Support for and
26
Involvement in State and Local Fusion Centers,” October 3, 2012 at 27. Another report, co-
27
authored by Los Angeles Police Department Deputy Chief Michael Downing, found that SARs
28
have “flooded fusion centers, law enforcement, and other security entities with white noise.”
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
9
1
The George Washington University Homeland Security Policy Institute, “Counterterrorism
2
Intelligence: Fusion Center Perspectives,” June 26, 2012 at 31.
3
29.
While the SARs process has not proven effective in combating terrorism, it has
4
been extremely effective in sweeping up innocent Americans and recording their lawful activity
5
in federal counterterrorism databases. Over 1,800 SARs from fusion centers in California show
6
that the program targets First Amendment protected activity such as photography and encourages
7
racial and religious profiling. Examples of SARs that met Defendants’ standards for SAR
8
reporting and have been uploaded to the FBI’s eGuardian database include:
9
“Suspicious ME [Middle Eastern] Males Buy Several Large Pallets of Water”
10
A sergeant from the Elk Grove Police Department reported “on a suspicious
11
individual in his neighborhood”; the sergeant had “long been concerned about a
12
residence in his neighborhood occupied by a Middle Eastern male adult physician
13
who is very unfriendly”
14
“Female Subject taking photos of Folsom Post Office”
15
“an identified subject was reported to be taking photographs of a bridge crossing
16
the American River Bike trail”
17
“I was called out to the above address regarding a male who was taking
18
photographs of the [name of facility blacked out] [in Commerce, California]. The
19
male stated, he is an artist and enjoys photographing building[s] in industrial
20
areas … [and] stated he is a professor at San Diego State private college, and
21
takes the photos for his art class.”
22
“I observed a male nonchalantly taking numerous pictures inside a purple line
23
train [in Los Angeles County] … The male said he was taking pictures because
24
they were going to film the television show ‘24’ on the train next week.”
25
“two middle eastern looking males taking photographs of Folsom Dam. One of
26
the ME males appeared to be in his 50’s”
27
“Suspicious photography of the Federal Courthouse in Sacramento”: an “AUSA
28
[Assistant United States Attorney] reported to the Court Security Officer (CSO) a
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
10
1
suspicious vehicle occupied by what [name blacked out] described as two Middle
2
Eastern males, the passenger being between 40-50 years of age.”
3
“Suspicious photography of Folsom Dam by Chinese Nationals”: “a Sac County
4
Sheriff's Deputy contacted 3 adult Asian males who were taking photos of
5
Folsom Dam. They were evasive when the deputy asked them for identification
6
and said their passports were in their vehicle.”
7
8
9
B.
Conflicting Federal Rules for Collection of Intelligence Information
30.
Defendants have issued three separate rules governing the collection of
intelligence information, in particular, suspicious activity reports. Only one of these rules,
10
however, requires reasonable suspicion of criminal activity for the information to be collected,
11
maintained, and disseminated, and only that rule was duly promulgated under the APA.
12
1.
28 C.F.R. Part 23
13
31.
On June 19, 1968, President Lyndon B. Johnson signed into law the Omnibus
14
Crime Control and Safe Streets Act of 1968 (“Omnibus Act”). The Act created the Law
15
Enforcement Administration Agency (“LEAA”), a forerunner to OJP and a component of DOJ,
16
and authorized it to oversee the distribution of federal grants to state and local law enforcement
17
programs.
18
32.
In 1978, after observing the notice and comment process set forth in the APA,
19
Defendant DOJ, through its component the LEAA, published a final rule establishing operating
20
principles for “Criminal Intelligence Systems.” See 28 C.F.R. § 23 (1993). The regulation was
21
promulgated pursuant to the LEAA’s statutory mandate to ensure that criminal intelligence is not
22
collected, maintained, or disseminated “in violation of the privacy and constitutional rights of
23
individuals.” 42 U.S.C. § 3789g(c) (2012).
24
33.
Several commenters on the then-proposed regulation “were concerned that the
25
collection and maintenance of intelligence information should only be triggered by a reasonable
26
suspicion that an individual is involved in criminal activity.” See 43 Fed. Reg. 28,572 (June 30,
27
1978). The agency concurred, and the proposed operating principles were “revised to require
28
this criteria as a basis for collection and maintenance of intelligence information.” Id.
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
11
1
34.
Among other requirements, the final rule provides that a “project shall collect and
2
maintain criminal intelligence information concerning an individual only if there is reasonable
3
suspicion that the individual is involved in criminal conduct or activity and the information is
4
relevant to that criminal conduct or activity.” 28 CFR § 23.20(a).
5
35.
In addition, the regulation states that while “pooling of information about” various
6
kinds of criminal activities such as drug trafficking, smuggling, and public corruption can be
7
helpful in “expos[ing] … ongoing networks of criminal activity,” “the collection and exchange
8
of intelligence data necessary to support control of serious criminal activity may represent
9
potential threats to the privacy of individuals to whom such data relates,” and the privacy
10
11
guidelines set forth in 28 CFR Part 23 are therefore necessary. 28 CFR § 23.2.
36.
In 1980, DOJ amended the rule, following the public notice and comment process
12
set forth in the APA, to extend the reach of 28 C.F.R. Part 23 to criminal intelligence systems
13
funded by both discretionary and formula grants. 45 Fed. Reg. 61,612 (Sep. 17, 1980).
14
37.
15
suspicion”:
16
17
18
DOJ amended the rule again in 1993 to include a definition of “reasonable
Reasonable Suspicion . . . is established when information exists which establishes
sufficient facts to give a trained law enforcement or criminal investigative agency officer,
investigator, or employee a basis to believe that there is a reasonable possibility that an
individual or organization is involved in a definable criminal activity or enterprise.
See 28 C.F.R. § 23.20.
19
38.
“Reasonable suspicion” is the time-tested, constitutional standard that limits law
20
enforcement from taking action against someone, unless there is good reason to believe criminal
21
activity is afoot.
22
39.
One commenter argued that “reasonable suspicion . . . is not necessary to the
23
protection of individual privacy and Constitutional rights, [and suggested] instead that
24
information in a funded intelligence system need only be ‘necessary and relevant to an agency’s
25
lawful purposes.’” 58 Fed. Reg. 178, 48451 (Sept. 16, 1993). The agency disagreed, replying:
26
27
28
the potential for national dissemination of information in intelligence information
systems, coupled with the lack of access by subjects to challenge the information,
justifies the reasonable suspicion standard as well as other operating principle restrictions
set forth in this regulation. Also, the quality and utility of ‘hits’ in an information system
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
12
is enhanced by the reasonable suspicion requirement. Scarce resources are not wasted by
agencies in coordinating information on subjects for whom information is vague,
incomplete and conjectural.
1
2
Id.
3
40.
DOJ made an attempt in 2008 to amend the regulation to weaken its privacy
4
protections. In particular, the proposed rule would have (1) permitted information to be stored
5
regarding organizations as well as individuals; (2) allowed information to be stored based on
6
reasonable suspicion related to “domestic and international terrorism, including material support
7
thereof,” and (3) eliminated the requirement that law enforcement agencies receiving information
8
from a Criminal Intelligence System agree to comply with 28 C.F.R. Part 23, so that recipients
9
would merely need to have procedures “consistent with” Section 23. See 73 Fed. Reg. 44,674
10
(July 31, 2008). This attempted rulemaking, however, met with criticism and DOJ withdrew its
11
proposed rule. The regulation has remained unchanged since its last amendment in 1993.
12
41.
In short, in initially adopting the regulation, DOJ emphasized the importance of
13
the reasonable suspicion requirement and since then has expanded the scope of the regulation,
14
reiterated the importance of the reasonable suspicion requirement, and withdrawn efforts to
15
weaken the regulation’s privacy protections.
16
2.
PM-ISE Standard for Suspicious Activity Reporting
42.
Defendant PM-ISE subsequently issued a standard for SAR reporting that –
17
18
unlike 28 CFR Part 23 – does not require reasonable suspicion of criminal activity before a
19
suspicious activity report is collected, maintained, or disseminated and was not issued through
20
the notice and comment procedure required by the APA, thus dodging public review.
21
43.
Pursuant to the exercise of its statutory authority to “exercise governmentwide
22
authority over the sharing of [terrorism and homeland security] information,” 6 U.S.C. §
23
485(f)(1) (2012), PM-ISE has issued “Functional Standards” governing suspicious activity
24
reporting.
25
44.
In or about May 2009, PM-ISE released Information Sharing Environment (ISE) -
26
Functional Standard (FS) - Suspicious Activity Reporting (SAR) Version 1.5 (“Functional
27
Standard 1.5”), which remains currently in effect. It sets forth the following standard for
28
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
13
1
suspicious activity reporting: “[o]bserved behavior reasonably indicative of pre-operational
2
planning related to terrorism or other criminal activity.” Functional Standard 1.5 at 2 (emphasis
3
added).
4
45.
The agency has expressly acknowledged that Functional Standard 1.5 requires
5
“less than the ‘reasonable suspicion’ standard.” PM-ISE, Privacy, Civil Rights, and Civil
6
Liberties Analysis and Recommendations–Nationwide Suspicious Activity Reporting Initiative
7
at 12 (draft May 2010).
8
9
46.
The document also identifies sixteen categories of activity that fall under the
standard and provide a guide to law enforcement in determining what amounts to a suspicious
10
activity. These categories include photography, observation/surveillance, and acquisition of
11
materials or expertise. Functional Standard 1.5 at 29-30.
12
47.
Functional Standard 1.5 applies to, inter alia, “all departments or agencies that
13
possess or use terrorism or homeland security information.” Functional Standard 1.5 at 1.
14
Functional Standard 1.5 applies to state, local, and tribal law enforcement agencies and fusion
15
centers that participate in the NSI. Agencies participating in the NSI follow Functional Standard
16
1.5 in reporting suspicious activity.
17
48.
Functional Standard 1.5 purports to define the scope of suspicious activity that
18
should be reported for agencies participating in the NSI. The purpose of Functional Standard 1.5
19
is to standardize SAR reporting at the federal, state, and local levels.
20
21
22
49.
PM-ISE trains participants in the NSI about, among other things, how to follow
Functional Standard 1.5.
50.
In promulgating Functional Standard 1.5, PM-ISE expressly cited its legislative
23
authority under, inter alia, the IRTPA over governmentwide standards for information sharing.
24
Functional Standard 1.5 at 1.
25
26
51.
Functional Standard 1.5 constitutes final agency action and a legislative rule
within the meaning of the APA.
27
28
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
14
1
52.
PM-ISE issued Functional Standard 1.5 without observing the process set forth in
2
the APA for public notice and comment. Functional Standard 1.5 went into immediate effect
3
upon its publication on May 1, 2009 and remains currently in effect.
4
3.
DOJ Standard for Suspicious Activity Reporting
5
53.
Defendant DOJ, through its components, has issued a standard for SAR reporting
6
(“DOJ’s SAR Standard”) that – unlike 28 CFR § 23 – does not require reasonable suspicion of
7
criminal activity before a suspicious activity report is collected, maintained, or disseminated and
8
was not issued through the notice and comment procedure required by the APA, thus dodging
9
public review.
10
54.
DOJ, through its component the FBI, has set forth the following standard for
11
suspicious activity reporting: “observed behavior that may be indicative of intelligence gathering
12
or pre-operational planning related to terrorism, criminal or other illicit intention.” FBI, Privacy
13
Impact Assessment for the eGuardian Threat Tracking System at § 1.1 (emphasis added). This
14
standard is set forth in the FBI’s 2008 eGuardian Privacy Impact Assessment (“2008 eGuardian
15
PIA”), which is attached as Appendix E to this Complaint. “[T]he FBI uses the criteria in the
16
eGuardian Privacy Impact Assessment (dated November 25, 2008) … to determine if SARs have
17
a potential nexus to terrorism.” GAO SAR Report at 6 n.10.
18
55.
DOJ’s “may be indicative” SAR Standard is even broader than PM-ISE’s
19
“reasonably indicative” Functional Standard 1.5. See GAO SAR Report at 15-16. But like
20
Functional Standard 1.5, DOJ’s SAR Standard encourages reporting even in the absence of
21
reasonable suspicion of criminal activity.
22
56.
Just as Defendant PM-ISE has enumerated categories of behavior that fall under
23
its “reasonably indicative” reporting standard, DOJ through its components has also enumerated
24
categories of behavior that fall under its “may be indicative” reporting standard. These
25
categories of behavior are broader than the categories set forth in Functional Standard 1.5 and
26
include but are not limited to:
27
28
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
15
1
(a) “Possible indicators of terrorist behaviors at hotels:…” FBI and United States
2
Department of Homeland Security, “Roll Call Release,” July 26, 2010, attached as
3
Appendix F to this Complaint.
4
(1) “Using payphones for outgoing calls or making front desk requests in
5
person to avoid using the room telephone.” Id.
6
(2) “Interest in using Internet cafes, despite hotel Internet availability….”
7
Id.
8
(3) “Requests for specific rooms, floors, or other locations in the
9
hotel….” Id.
10
(4) “Multiple visitors or deliveries to one individual or room.” Id.
11
(b) “No obvious signs of employment.” FBI, “Quick Reference Terrorism Card,”
12
attached as Appendix G to this Complaint.
13
(c) “Possess student visa but not English Proficient.” Id.
14
(d) “Persons not fitting into the surrounding environment, such as wearing
15
improper attire for the location.” Id.
16
(e) “Persons exhibiting unusual behavior such as staring or quickly looking away
17
from individuals or vehicles as they enter or leave designated facilities or
18
parking areas.” Id.
19
(f) “A blank facial expression in an individual may be indicative of someone
20
concentrating on something not related to what they appear to be doing.” Id.
21
(g) “[P]eople in places where they do not belong.” Bureau of Justice Assistance,
22
“Communities Against Terrorism: Potential Indicators of Terrorist Activities
23
Related to the General Public,” attached as Appendix H to this Complaint.
24
25
57.
be reported is a “catch-all”:
26
27
28
One category of behavior identified by DOJ as “suspicious” activity that should
(a) “[P]eople acting suspiciously.” Id.
58.
DOJ through its components has also issued “Potential Indicators of Terrorist
Activities Related to Electronic Stores” (attached as Appendix I to this Complaint) and
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
16
1
“Potential Indicators of Terrorist Activities Related to Mass Transportation” (attached as
2
Appendix J to this Complaint). Activities identified as suspicious in connection with mass
3
transportation include “[a]cting nervous or suspicious,” and “[u]nusual or prolonged interest in
4
… entry points and access controls.”
5
59.
DOJ through its components trains participants in the NSI about DOJ’s SAR
6
Standard. For example, as of 2013, the PMO had provided training for 290,000 line officers (law
7
enforcement officers whose routine duties put them in a position to observe “suspicious”
8
activity), 2,000 analytical personnel, and executives from 77 fusion centers. See GAO SAR
9
Report at 29. DOJ components teach participants in the NSI, including frontline officers and
10
fusion center analysts to submit to the FBI “all potentially terrorism-related information and not
11
just ISE-SARs that met the [PM-ISE’s] Functional Standard [1.5].” GAO SAR Report at 16.
12
60.
DOJ’s SAR Standard applies to state, local, and tribal law enforcement agencies
13
and fusion centers that participate in the NSI. Agencies participating in the NSI follow DOJ’s
14
SAR Standard in reporting suspicious activity.
15
61.
DOJ’s SAR Standard purports to define the scope of suspicious activity that
16
should be reported for agencies participating in the NSI. The purpose of DOJ’s SAR Standard is
17
to standardize SAR reporting at the federal, state, and local levels.
18
62.
Because DOJ’s SAR Standard is broader than PM-ISE’s Functional Standard 1.5
19
and DOJ’s behavioral categories include the catch-all “people acting suspiciously,” any activity
20
that falls under PM-ISE’s Functional Standard also falls under DOJ’s SAR Standard.
21
63.
Fusion centers that follow DOJ’s SAR Standard instead of PM-ISE’s Functional
22
Standard 1.5 send many SARs to the FBI for review. For example, of the SARs uploaded by one
23
state’s fusion center to a national SAR database from June 2011 to October 2012, only 10% met
24
PM-ISE’s Functional Standard 1.5. See GAO SAR Report at 16.
25
64.
DOJ establishes an even broader standard than the already overbroad Functional
26
Standard 1.5, and the DOJ reinforces its broader standard through the trainings it provides to NSI
27
participants and through other mechanisms. For example, when fusion center personnel are
28
uncertain whether to share a SAR, DOJ encourages them to err on the side of overreporting. See
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
17
1
GAO SAR Report at 16. In addition, the only feedback mechanism participants in the NSI
2
currently receive on whether they are reporting SARs appropriately is provided by the FBI
3
through its eGuardian system. See GAO SAR Report at 13-14. The feedback the FBI provides
4
reinforces the DOJ SAR Standard to NSI participants.
5
65.
DOJ’s 2008 eGuardian PIA, which sets forth the agency’s standard for reporting
6
suspicious activity, was signed by four “Responsible Officials,” two “Reviewing Officials,” and
7
one “Approving Official.” It reflects the consummation of the agency’s decision making
8
process.
9
66.
DOJ’s 2008 eGuardian PIA contains a set of mandatory, non-discretionary rules
10
and obligations. It lays out clear instructions for the use of the eGuardian system to collect and
11
share SARs and the standard for defining “suspicious activity.” For example, the 2008
12
eGuardian PIA states that the eGuardian system will “ensure consistency of process and of
13
handling protocols” and mandates that all users “will be required to complete robust system
14
training that will incorporate eGuardian policies and procedures.” 2008 eGuardian PIA at 4. In
15
addition, the eGuardian User Agreement, attached to the 2008 eGuardian PIA, states that
16
“[i]ncidents not meeting the criteria of suspicious activity or with a potential nexus to terrorism
17
and that, further, do not comply with the above-stated rules, will be immediately deleted from
18
eGuardian.” 2008 eGuardian PIA at 25.
19
67.
DOJ has consistently reinforced its standard for SAR reporting, set forth in the
20
2008 eGuardian PIA, through training materials and other publications that identify categories of
21
behavior that the agency contends are suspicious and should be reported.
22
68.
In promulgating DOJ’s SAR Standard, DOJ expressly invoked its statutory
23
“mandate” under IRTPA and “other statutes … to share terrorism information with other federal,
24
and state, local and tribal (SLT) law enforcement partners.” 2008 eGuardian PIA at 2.
25
26
69.
DOJ’s SAR Standard constitutes final agency action and a legislative rule within
the meaning of the APA.
27
28
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
18
1
70.
Defendant DOJ issued the DOJ SAR Standard without observing the process set
2
forth in the APA for public notice and comment. It is the DOJ Standard for SAR reporting
3
currently in effect.
4
4.
5
6
PM-ISE’s Functional Standard 1.5 and DOJ’s SAR Standard Conflict with
28 CFR Part 23
71.
As a report of “[o]bserved behavior reasonably indicative of pre-operational
7
planning related to terrorism or other criminal activity” (Functional Standard 1.5) or a report of
8
“observed behavior that may be indicative of intelligence gathering or pre-operational planning
9
related to terrorism, criminal or other illicit intention” (DOJ’s SAR Standard), a SAR contains
10
data relevant to the identification of an individual who is suspected in some fashion of being
11
involved in criminal, in particular, terrorist activity.
12
72.
A SAR constitutes “criminal intelligence” within the meaning of 28 CFR Part 23.
13
73.
State, local, and tribal law enforcement agencies and fusion centers that
14
participate in the NSI and observe PM-ISE’s Functional Standard 1.5 and/or DOJ’s SAR
15
Standard collect, review, analyze, and disseminate SARs. These entities operate arrangements,
16
equipment, facilities, and procedures, used for the receipt, storage, interagency exchange or
17
dissemination, and analysis of SARs. Upon information and belief, these entities and the
18
systems they operate for receiving, storing, exchanging, disseminating, and analyzing SARs
19
operate through support from Defendant DOJ’s component OJP.
20
74.
State, local, and tribal law enforcement agencies and fusion centers that
21
participate in the NSI and observe PM-ISE’s Functional Standard 1.5 and/or DOJ’s SAR
22
Standard are “projects” within the meaning of 28 CFR Part 23. The systems or databases on
23
which SARs are maintained and through which they are collected and disseminated are “criminal
24
intelligence systems” within the meaning of 28 CFR Part 23.
25
75.
PM-ISE’s Functional Standard 1.5 and DOJ’s SAR Standard set forth operating
26
principles for the collection, maintenance, and dissemination of data relevant to the identification
27
of an individual who is suspected in some fashion of being involved in criminal, in particular,
28
terrorist activity. Both standards, however, encourage or purport to authorize collection,
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
19
1
maintenance, and dissemination of such data even in the absence of reasonable suspicion of
2
criminal activity. Both standards encourage or purport to authorize collection, maintenance, and
3
dissemination of much more data than that permitted under 28 CFR Part 23. Both standards
4
therefore conflict with 28 CFR Part 23.
5
76.
Through PM-ISE’s promulgation of Functional Standard 1.5 and DOJ’s
6
promulgation of its SAR Standard, and through each agency’s training of entities participating in
7
the NSI in their respective standards for reporting suspicious activity, Defendants PM-ISE, Paul,
8
DOJ, and Holder have undermined and thereby violated 28 CFR Part 23.
9
77.
Neither DOJ nor PM-ISE has offered any reasoned basis for departing from the
10
reasonable suspicion standard set forth in 28 CFR Part 23 for the collection, maintenance, and
11
dissemination of SARs.
12
78.
DOJ could rescind its SAR reporting standard. If DOJ rescinded its SAR
13
reporting standard, participants in the NSI would cease collecting, maintaining, reviewing,
14
analyzing and disseminating SARs based on DOJ’s SAR Standard, and it would be clear that the
15
governing standard for suspicious activity reporting is 28 CFR Part 23. As a result, individuals
16
who are currently the subject of SARs but whose conduct did not give rise to a reasonable
17
suspicion of criminal activity would no longer have their information collected, maintained, and
18
disseminated in SAR databases. DOJ could cease collecting, maintaining, reviewing, analyzing,
19
and disseminating SARs about individuals whose conduct did not give rise to a reasonable
20
suspicion of criminal activity.
21
79.
PM-ISE could rescind Functional Standard 1.5. If PM-ISE rescinded Functional
22
Standard 1.5, participants in the NSI would cease collecting, maintaining, reviewing, analyzing
23
and disseminating SARs based on Functional Standard 1.5, and it would be clear that the
24
governing standard for suspicious activity reporting is 28 CFR Part 23. As a result, individuals
25
who are currently the subject of SARs but whose conduct did not give rise to a reasonable
26
suspicion of criminal activity would no longer have their information collected, maintained, and
27
disseminated in SAR databases.
28
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
20
1
C.
Plaintiff’s Allegations
2
1.
Wiley Gill
3
80.
Wiley Gill is a United States citizen living in Chico, California. He works as a
4
custodian at Chico State, which he attended as an undergraduate. Mr. Gill converted to Islam in
5
2009, after learning about the religion in a course he took while a student at Chico State.
6
81.
Mr. Gill is the subject of a SAR that identifies him as a “Suspicious Male Subject
7
in Possession of Flight Simulator Game.” This SAR falls into one or more of the behavioral
8
categories identified in Functional Standard 1.5, in particular, “[a]cquisition of [e]xpertise” and
9
potentially “[a]viation [a]ctivity.” Functional Standard 1.5 at 29-30. It also falls under one or
10
more behavioral categories identified by Defendant DOJ, such as the catch-all behavioral
11
category of “acting suspiciously.”
12
82.
Mr. Gill’s SAR was collected, maintained, and disseminated through a fusion
13
center SAR database, and uploaded to eGuardian and/or another national SAR database. As a
14
result, the FBI has scrutinized Mr. Gill, conducted extensive background checks on him, and
15
created a file about him.
16
83.
The SAR was created on or about May 23, 2012, and purports to document an
17
encounter between Mr. Gill and the Chico Police Department (“CPD”) on or about May 20,
18
2012. The SAR states that a CPD officer was investigating a domestic violence incident and
19
believed the suspect may have fled into Mr. Gill’s residence. The SAR states that this was later
20
discovered to be unfounded. It acknowledges that the CPD officer searched Mr. Gill’s home.
21
The SAR asserts that Mr. Gill’s computer displayed a screen titled something to the effect of
22
“Games that fly under the radar,” which appeared to be a “flight simulator type of game.” The
23
SAR concludes by describing Mr. Gill’s “full conversion to Islam as a young WMA [white, male
24
adult],” “pious demeanor,” and “potential access to flight simulators via the internet” as “worthy
25
of note.”
26
84.
CPD’s search of Mr. Gill’s residence on or about May 20, 2012 did in fact occur.
27
But the SAR contains numerous misstatements and omits several crucial facts, including that two
28
CPD officers banged on Mr. Gill’s door and after when he went to open it, they came around the
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
21
1
corner of the house with their guns drawn and pointed at Mr. Gill. Mr. Gill was thrown off
2
guard. The officers eventually lowered their guns, and then asked to search Mr. Gill’s home,
3
based on the alleged domestic violence incident involving two individuals that they claimed to
4
have received. Mr. Gill informed the officers that he was home alone. Despite that, the officers
5
continued to ask to search his home. Mr. Gill was reluctant to grant permission, but felt that he
6
had no choice under the circumstances. One officer remained with Mr. Gill outside, while the
7
other searched his home. Mr. Gill did not feel free to leave. Mr. Gill cooperated with the
8
officers’ request for identification. Mr. Gill believes that he was likely viewing a website about
9
video games at the time of the May 20, 2012, incident.
10
85.
On information and belief, the officers’ contention that they were investigating a
11
domestic violence call was a pretext for searching Mr. Gill’s home because CPD had already
12
decided to investigate Mr. Gill because of his religion.
13
86.
The SAR also describes two earlier encounters between CPD and Mr. Gill, one at
14
the Mosque that Mr. Gill attends and another while Mr. Gill was walking through downtown
15
Chico “with elders.” The SAR describes Mr. Gill in these instances as “avoid[ing] eye contact”
16
and “hesitant to answer questions.”
17
87.
Mr. Gill recalls CPD officers visiting the Mosque he attends, paying what they
18
described as a courtesy visit in an attempt to build good relations with the Muslim community.
19
Mr. Gill listened to the presentation. When it was over, CPD officers asked Mr. Gill his name,
20
whether he went to school, and if he was employed. Mr. Gill answered all of their questions.
21
His understanding is that the officers did not question anyone else in this manner.
22
88.
Mr. Gill also recalls encountering CPD officers while he was walking through
23
downtown Chico with two older Muslim men who are friends from the Mosque. A CPD officer
24
called out Mr. Gill’s name and asked Mr. Gill if he had found a job yet. Mr. Gill answered the
25
question, but was caught off guard by the encounter because he did not recognize the officer and
26
was surprised that the officer knew his name and employment status.
27
28
89.
At no point during any of the encounters with CPD recounted in the SAR did Mr.
Gill engage in conduct that gave rise to a reasonable suspicion of criminal activity.
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
22
1
90.
The CPD also targeted Mr. Gill in two other encounters that are not described in
2
the SAR, and that do not involve any conduct by Mr. Gill that gave rise to a reasonable suspicion
3
of criminal activity, but instead reflect CPD’s suspicion of Mr. Gill because of his religion. One
4
of the incidents occurred before CPD filed the SAR about Mr. Gill on or about May 23, 2012;
5
the other occurred after. This religious harassment is attributable to the training of local law
6
enforcement on the SARs standards and process.
7
91.
In approximately September 2010, after Mr. Gill had converted to Islam, two
8
CPD officers visited him at his apartment and requested to speak to him about supposedly “anti-
9
American statements” that he had made. One of the officers referred to having a file on Mr. Gill,
10
refused to explain what “anti-American statements” Mr. Gill had purportedly made or the source
11
of the information, and stated that he wished to ensure Mr. Gill would not turn into another
12
Mohammed Atta, one of the individuals identified as a September 11 hijacker. Mr. Gill still does
13
not know how he came to the attention of the CPD.
14
92.
Around or after July 2012, Mr. Gill also received a telephone call from a CPD
15
officer. Over the phone, the CPD officer said Mr. Gill should shut down his Facebook page
16
because of the video games Mr. Gill played. At the time, Mr. Gill had a picture of the Shahada,
17
the Muslim statement of faith, on his Facebook page. Mr. Gill told the CPD officer he would not
18
take down his Facebook page and Mr. Gill also told the CPD officer that he believed the CPD
19
wanted Mr. Gill to take down his Facebook page because of its references to Islam. The CPD
20
officer refused to comment on Mr. Gill’s observation, but stated that he had a report on Mr. Gill
21
and indicated that Mr. Gill was on some kind of watch list.
22
93.
By describing Mr. Gill’s conversion to Islam and “pious demeanor” in the SAR as
23
“worthy of note,” CPD implicitly acknowledges that it found him “suspicious” because he is a
24
devout Muslim.
25
94.
Defendants’ issuance of overly broad definitions of “suspicious activity” and the
26
categories of behavior they have identified as “suspicious” include, among other things,
27
“[a]cquisition of expertise” (PM-ISE) and “[n]o obvious signs of employment” (DOJ). On
28
information and belief, CPD officers are trained in Defendants’ standards for SAR reporting.
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
23
1
95.
Defendants’ overly broad standards for reporting suspicious activity opens the
2
door to and encourages religious profiling. These standards opened the door to and encouraged
3
the religious profiling of Mr. Gill by CPD, CPD’s repeated questioning and ongoing scrutiny of
4
Mr. Gill, and CPD’s identification of Mr. Gill in a SAR as someone engaged in activity with a
5
potential nexus to terrorism.
6
96.
In addition, Functional Standard 1.5 instructs law enforcement agencies at the
7
“[i]nitial [r]esponse and [i]nvestigation stage” to respond to the observation reported in a SAR,
8
and “gather[] additional facts,” by, inter alia, “engaging the suspect in conversation” and “other
9
investigative activities.” Functional Standard 1.5 at 32. The CPD was implementing the
10
protocols set forth in Functional Standard 1.5 when it harassed Mr. Gill on or about May 2012,
11
before, and after.
12
97.
Because Mr. Gill is the subject of a SAR that falls under Defendants’ standards
13
for suspicious activity reporting, Mr. Gill has been automatically subjected to law enforcement
14
scrutiny. That scrutiny has included, among other things, CPD’s telephone call to him around or
15
after July 2012 and the FBI’s creation of a file about and investigation of Mr. Gill.
16
98.
Given the repeated harassment Mr. Gill has already suffered by CPD, he fears
17
further action may be taken against him by CPD and other investigative agencies as the result of
18
this SAR. He also fears further investigative harassment at the hands of the CPD and other
19
agencies caused by the existence of the SAR.
99.
20
Mr. Gill also has experienced frustration and stress resulting from the creation of
21
the SAR based on innocent conduct. He is also deeply troubled by what may result from the
22
collection, maintenance, and dissemination in a national database of a report describing him as
23
engaging in suspicious activity with a potential nexus to terrorism.
100. The SAR about Mr. Gill is maintained and will continue to be maintained in one
24
25
or more national SAR databases, where it can be accessed by law enforcement agencies across
26
the country.
27
//
28
//
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
24
1
2.
James Prigoff
2
101.
James Prigoff is a United States citizen who resides in Sacramento, California.
3
He is an internationally renowned photographer. The focus of his work is public art, such as
4
murals and graffiti art. He has amassed over 80,000 photographic slides and published several
5
books containing his photography. Mr. Prigoff is also a former business executive, having
6
served as a Senior Vice President of the Sara Lee Corporation and a President of a division of
7
Levi Strauss.
8
9
102.
In or around the spring of 2004, Mr. Prigoff was in Boston, Massachusetts. While
there, he sought to photograph a famous piece of public art known as the “Rainbow Swash,”
10
located in the Dorchester neighborhood of Boston. The artwork is painted on a natural gas
11
storage tank, which is surrounded by a chain link fence. It is highly visible to commuters from
12
the local expressway.
13
103.
Mr. Prigoff drove a rental car to a public area outside the fence surrounding the
14
Rainbow Swash, and set up to take photographs. He chose the location in part because of
15
favorable lighting conditions. From this location, the sun was behind him and casting its light on
16
the Rainbow Swash. Before Mr. Prigoff could take any photographs, two private security guards
17
came out from inside the fenced area and told him that he was not allowed to photograph,
18
claiming the area was private property. Mr. Prigoff pointed out to the security guards that he
19
was not, in fact, on private property. The guards still insisted that Mr. Prigoff could not
20
photograph.
21
104.
22
23
To avoid a confrontation with the guards, Mr. Prigoff departed. He left without
giving the security guards any identifying information.
105.
He drove further down the road to another public location outside the fenced
24
perimeter and attempted to take photographs from this second location. But the guards began to
25
follow him.
26
106.
To avoid further harassment by the guards, he drove to a third location on the
27
other side of the Rainbow Swash. The guards did not follow him to this third location, and he
28
was finally able to take photographs of the Rainbow Swash unmolested. But the lighting
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
25
1
conditions were significantly inferior to those at the first two locations; from this third location,
2
he had to photograph into the sunlight.
3
4
5
107.
At no point while he was attempting to photograph the Rainbow Swash did Mr.
Prigoff engage in conduct that gave rise to a reasonable suspicion of criminal activity.
108.
Mr. Prigoff subsequently discovered photographs online, including on the
6
Rainbow Swash’s Wikipedia webpage. These widely available photographs were taken from
7
vantage points closer than the three locations from which Mr. Prigoff attempted to and actually
8
took photographs.
9
109.
Mr. Prigoff returned to his home in Sacramento, California after his trip to
10
Boston. A few months later, on or about August 19, 2004, he came home one day to find a
11
business card affixed to his door from Agent A. Ayaz of the Joint Terrorism Task Force, which,
12
as noted above, is a partnership between the FBI and other law enforcement agencies. On the
13
back was a handwritten note stating, “Mr. Prigoff, please call me. Thanks.” Mr. Prigoff later
14
learned from a neighbor across the street that two agents had knocked on her door and asked for
15
information about Mr. Prigoff.
16
110.
Mr. Prigoff called Mr. Ayaz, who asked if Mr. Prigoff had been to Boston.
17
Realizing that Mr. Ayaz was referring to his efforts to photograph a piece of public art, Mr.
18
Prigoff explained what had occurred. On information and belief, security guards at the site of the
19
Rainbow Swash had submitted a SAR or SAR precursor report regarding Mr. Prigoff that
20
included his rental car information, after which authorities traced him from Boston,
21
Massachusetts, to his home in Sacramento, California.
22
111.
Mr. Prigoff is very upset that he was tracked cross-country from Boston to
23
Sacramento, and contacted by law enforcement agents at his home over his effort to engage in
24
photography from a public location. Mr. Prigoff is also very upset that law enforcement agents
25
questioned at least one of his neighbors about him, as such questioning casts the negative and
26
strong implication that Mr. Prigoff had somehow engaged in misconduct.
27
28
112.
Taking photographs of infrastructure falls under one or more of the behavioral
categories identified by Defendant PM-ISE under Functional Standard 1.5 as “suspicious,” and
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
26
1
also falls under one or more behavioral categories identified by Defendant DOJ, such as the
2
catch-all behavioral category of “acting suspiciously.” After attempting to photograph a piece of
3
public art painted on a natural gas storage tank in Boston, Mr. Prigoff was tracked to his home in
4
Sacramento and questioned about his trip to Boston, even though he never provided the security
5
guards with identifying information. On information and belief, Mr. Prigoff is the subject of a
6
SAR or SAR precursor report, which was filed by security guards at the Rainbow Swash. On
7
information and belief, the report about him was collected, maintained, and disseminated through
8
a fusion center database, and uploaded to eGuardian and/or another national SAR or similar
9
counterrorism database. On information and belief, the report about him was collected,
10
maintained, and disseminated under standards that authorized collection, maintenance and
11
dissemination of information even in the absence of reasonable suspicion of criminal activity;
12
Defendants’ standards for SAR reporting ratify that conduct.
13
113.
On information and belief, security guards at the Rainbow Swash were trained in
14
standards that encourage reporting of activity deemed connected to terrorism, even in the
15
absence of reasonable suspicion of criminal activity; Defendants’ standards for SAR reporting
16
ratify that conduct. Because of that training, they interfered with Mr. Prigoff’s lawful efforts to
17
take photographs of the Rainbow Swash.
18
114.
Because Mr. Prigoff is the subject of a report that falls under Defendants’
19
standards for suspicious activity reporting, Mr. Prigoff has been automatically subjected to law
20
enforcement scrutiny. That scrutiny has included but may not be limited to a follow-up visit by
21
an agent of the Joint Terrorism Task Force to his home, a telephone call with that agent, and
22
inquiries by that agent of at least one of his neighbors about him.
23
115.
Upon information and belief, the report about Mr. Prigoff is maintained and will
24
continue to be maintained in one or more national SAR or similar counterterrorism databases,
25
where it can be accessed by law enforcement agencies across the country.
26
116.
Mr. Prigoff continues to be an active photographer and often takes pictures of
27
architectural structures and post offices, among other sites that could be described as
28
“infrastructure.” Because taking photographs of infrastructure falls under one or more of the
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
27
1
behavioral categories identified by Defendant PM-ISE under Functional Standard 1.5 as
2
“suspicious,” and also falls under one or more behavioral categories identified by Defendant
3
DOJ, such as the catch-all behavioral category of “acting suspiciously,” he is likely to be the
4
subject of another SAR in the future. He fears that his efforts to take photographs of such areas
5
will be hindered again in the future.
6
117.
Mr. Prigoff is also deeply troubled by what may result from the collection,
7
maintenance, and dissemination in a national database of a report describing him as engaging in
8
suspicious activity with a potential nexus to terrorism.
9
10
3.
Khaled Ibrahim
118.
Khaled Ibrahim is a United States citizen of Egyptian descent living in San Jose,
11
California. He works in accounting for Nordix Computer Corporation, a computer network
12
consulting and service company. He formerly worked as a purchasing agent for Nordix. As part
13
of his job as purchasing agent, Mr. Ibrahim bought computers in bulk from retail stores, where
14
the stores allowed such transactions.
15
119.
On several occasions in 2011, Mr. Ibrahim went to the Best Buy in Dublin,
16
California in order to attempt to purchase computers in bulk for Nordix. On one such occasion,
17
he was told that management did not allow such bulk purchases and, with that, Mr. Ibrahim left.
18
19
20
120.
At no point while he was attempting to purchase computers from Best Buy did
Mr. Ibrahim engage in conduct that gave rise to a reasonable suspicion of criminal activity.
121.
Mr. Ibrahim is the subject of a SAR, created on November 14, 2011, regarding
21
Mr. Ibrahim’s attempts to purchase “a large amount of computers.” The SAR about him was
22
collected, maintained, and disseminated through a fusion center SAR database, and uploaded to
23
the FBI’s eGuardian database. Upon information and belief, the personnel at the fusion center
24
who uploaded Mr. Ibrahim’s SAR to eGuardian were trained in Defendants’ standards for SAR
25
reporting.
26
122.
The SAR pertaining to Mr. Ibrahim falls into one or more of the behavioral
27
categories identified in Functional Standard 1.5, in particular, “[a]cquisition … of unusual
28
quantities of materials.” Functional Standard 1.5 at 30. It also falls under one or more
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
28
1
behavioral categories identified by Defendant DOJ, such as the catch-all behavioral category of
2
“acting suspiciously” and DOJ’s “Potential Indicators of Terrorist Activities Related to
3
Electronic Stores.”
4
123.
Because Mr. Ibrahim is the subject of a SAR that falls under Defendants’
5
standards for suspicious activity reporting, Mr. Ibrahim has been automatically subjected to law
6
enforcement scrutiny. That scrutiny may include but is not limited to scrutiny or interviews by
7
any of the law enforcement agencies across the country that have access to the FBI’s eGuardian
8
system, to which his SAR was uploaded.
9
124.
Mr. Ibrahim is particularly disturbed that trained law enforcement personnel at a
10
fusion center uploaded the SAR about him to eGuardian, thereby flagging him as an individual
11
with a potential nexus to terrorism. He is also troubled by what may result from the collection,
12
maintenance, and dissemination in a national database of a report describing him as engaging in
13
suspicious activity with a potential nexus to terrorism. Mr. Ibrahim is upset that a SAR was
14
entered about him potentially because of his Middle Eastern descent, and believes that this
15
system of racial profiling diminishes the rights of Middle Eastern communities.
16
125.
The SAR about Mr. Ibrahim is maintained and will continue to be maintained in
17
one or more national SAR databases, where it can be accessed by law enforcement agencies
18
across the country.
19
4.
Tariq Razak
20
126.
Tariq Razak is a United States citizen of Pakistani descent. He resides in
21
Placentia, California. A graduate of the University of California at Irvine, he works in the bio-
22
tech industry.
23
24
25
127.
Mr. Razak is the subject of a SAR pertaining to a “Male of Middle Eastern decent
[sic] observed surveying entry/exit points” at the Santa Ana Train Depot.
128.
On May 16, 2011, Santa Ana Police Officer J. Gallardo filed a SAR regarding Mr.
26
Razak. According to the SAR, Officer Gallardo responded to a call at the Santa Ana Train
27
Depot from Security Officer Karina De La Rosa. Ms. De La Rosa explained that her “suspicion
28
became aroused because the male appeared to be observant of his surroundings and was
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
29
1
constantly surveying all areas of the facility. The male’s appearance was neat and clean with a
2
closely cropped beard, short hair wearing blue jeans and a blue plaid shirt.” The SAR goes on to
3
describe how Mr. Razak, after studying entry/exit points moved to a part of the train station
4
where the restrooms are located and eventually departed the train station with “a female wearing
5
a white burka head dress” who had emerged from the restrooms. Office Gallardo concludes the
6
SAR by requesting that it be forwarded to the fusion center in Orange County “for review and
7
possible follow-up.”
8
129.
According to the SAR, Security Officer De La Rosa stated that “she received
9
‘suspicious activity as related to terrorism training’” and that “the behavior depicted by the male
10
was similar to examples shown in her training raising her suspicion and making the decision to
11
notify the police.” Mr. Razak is the subject of the SAR because of Defendants’ trainings on their
12
SAR reporting standards to state and local law enforcement and the private sector.
13
130.
Mr. Razak was, indeed, at the Santa Ana Train Depot on May 16, 2011. The
14
woman he was with was his mother. He had an appointment at the county employment resource
15
center, which is located in the station building. He had not been to the station before and spent
16
some time locating the office before meeting up with his mother by the restrooms and leaving.
17
His mother was wearing a hijab (head scarf), and not a burka.
18
131.
Mr. Razak did not talk to any security officers at the Santa Ana Train Depot that
19
day. The SAR notes the make and model of Mr. Razak’s vehicle, and his license plate number.
20
On information and belief, Security Officer De La Rosa followed Mr. Razak to his vehicle and
21
wrote down his license plate number to identify him.
22
23
24
132.
At no point while he was waiting in the Train Depot did Mr. Razak engage in
conduct that gave rise to a reasonable suspicion of criminal activity.
133.
This SAR falls into one or more of the behavioral categories identified in
25
Functional Standard 1.5, in particular, “Observation/Surveillance.” Functional Standard 1.5 at
26
30. It also falls under DOJ’s “Potential Indicators of Terrorist Activities Related to Mass
27
Transportation,” which includes, among other things, “[u]nusual or prolonged interest in …
28
[e]ntry points and access controls.” It also falls under one or more behavioral categories
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
30
1
identified by Defendant DOJ, such as the catch-all behavioral category of “acting suspiciously.”
2
The SAR about Mr. Razak was collected, maintained, and disseminated through a fusion center
3
SAR database, and on information and belief has been uploaded to eGuardian and/or another
4
national SAR database.
5
134.
Because Mr. Razak is the subject of a SAR that falls under Defendants’ standards
6
for suspicious activity reporting, Mr. Razak has been automatically subjected to law enforcement
7
scrutiny. That scrutiny may include but is not limited to scrutiny or interviews by any of the law
8
enforcement agencies across the country that have access to the SAR about him.
9
135.
Mr. Razak is deeply troubled by what may result from the collection,
10
maintenance, and dissemination in a national database of a report describing him as engaging in
11
suspicious activity with a potential nexus to terrorism.
12
136.
Upon information and belief, the SAR about Mr. Razak is maintained and will
13
continue to be maintained in one or more national SAR databases, where it can be accessed by
14
law enforcement agencies across the country.
15
5.
Aaron Conklin
16
137.
Aaron Conklin resides in Vallejo, California. Mr. Conklin is a student at Diablo
17
Valley College, studying graphic design. He is also an amateur photographer who posts his
18
work online. Mr. Conklin has a strong aesthetic interest in photographing industrial architecture,
19
including refineries.
20
138.
In either 2011 or 2012, Mr. Conklin was photographing the Valero Refinery
21
located in Benicia, California at around 10:00 p.m. He chose to photograph at night for aesthetic
22
reasons, to capture the refinery illuminated against the dark night sky. Mr. Conklin set up in an
23
empty lot where a food truck parks during the day, near a publicly accessible sidewalk and a bus
24
stop. Mr. Conklin was positioned outside the refinery’s fenced perimeter.
25
139.
Despite Mr. Conklin’s location outside the refinery’s perimeter in a publicly
26
accessible location, a private security guard from the refinery came out to tell Mr. Conklin that
27
he could not photograph the refinery and issued stern warnings. Mr. Conklin felt threatened and
28
feared that the situation would escalate if he remained, so he left. Because he fears further
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
31
1
harassment, he has not returned to photograph the refinery, despite his desire to develop his
2
portfolio with photographs of industrial sites.
3
140.
Mr. Conklin later discovered that images of the refinery, taken from a similar
4
location, were viewable on the internet through Google Maps, using the site’s “street view”
5
feature.
6
141.
In or about November 2013, Mr. Conklin was attempting to photograph the Shell
7
Refinery located in Martinez, California at approximately 9:30 or 10:00 pm. He wished to
8
photograph the refinery at night for artistic reasons.
9
10
11
142.
Mr. Conklin set up in the parking lot of a strip mall containing a smog testing
center and a dance studio, across the street from the Shell Refinery’s fenced perimeter.
143.
As Mr. Conklin was preparing to photograph, a private security guard came out
12
from the refinery and stopped him. At least one other guard from the refinery soon joined the
13
first security guard. The security guards told Mr. Conklin that he was prohibited from
14
photographing the refinery and that photographing the refinery was illegal and somehow
15
connected to terrorism.
16
144.
Despite Mr. Conklin’s complete cooperation with the security guards, they called
17
the Contra Costa County Sheriff’s department, and at least two deputies arrived on the scene.
18
The deputies searched through the pictures on Mr. Conklin’s camera and searched his car. They
19
also took pictures of Mr. Conklin, his camera equipment, and his vehicle. Mr. Conklin was
20
afraid and felt as though he did not have the option to object to the searches without making
21
matters worse for himself.
22
145.
The deputies concluded by telling Mr. Conklin that he would have to be placed on
23
an “NSA watch list.” Only then was Mr. Conklin allowed to leave. The entire encounter lasted
24
between forty-five minutes and an hour.
25
26
27
28
146.
At no point while he was attempting to photograph the Valero or Shell refineries
did Mr. Conklin engage in conduct that gave rise to a reasonable suspicion of criminal activity.
147.
Taking photographs of infrastructure falls under one or more of the behavioral
categories identified by Defendant PM-ISE as “suspicious,” and also falls under one or more
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
32
1
behavioral categories identified by Defendant DOJ, such as the catch-all behavioral category of
2
“acting suspiciously.” A Contra Costa deputy sheriff expressly told Mr. Conklin that he had to
3
be put on an “NSA watchlist.” On information and belief, Mr. Conklin is the subject of a SAR,
4
which was collected, maintained, and disseminated through a fusion center SAR database, and
5
uploaded to eGuardian and/or another national SAR database.
6
148.
On information and belief, security guards at oil refineries are trained in
7
Defendants’ standards for SAR reporting. As a result, security guards at the Valero and Shell oil
8
refineries prevented Mr. Conklin from taking photographs of sites of aesthetic interest to him.
9
On information and belief, the Contra Costa deputy sheriffs are trained in Defendants’ standards
10
for SAR reporting. As a result, they detained and searched Mr. Conklin for doing nothing more
11
than attempting to photograph a site of aesthetic interest from a public location, told Mr. Conklin
12
that he had to be placed on a watchlist, and reported Mr. Conklin in a SAR.
13
149.
Because Mr. Conklin is the subject of a SAR that falls under Defendants’
14
standards for suspicious activity reporting, Mr. Conklin has been automatically subjected to law
15
enforcement scrutiny. That scrutiny may include but is not limited to scrutiny or interviews by
16
any of the law enforcement agencies across the country that have access to the SAR about him.
17
150.
Mr. Conklin was very upset by the encounter with private security and Contra
18
Costa deputy sheriffs at the Shell refinery. He wants to continue taking photographs of
19
industrial architecture in the future. But because of this event and the earlier incident at the
20
Valero refinery, he is afraid to continue photographing industrial sites for fear of being stopped
21
and questioned or, worse, arrested. Mr. Conklin has been chilled and has refrained from
22
engaging in certain forms of photography, despite his desire to develop his photography
23
portfolio. His inability to develop his photography portfolio limits his ability to apply
24
successfully for jobs in his chosen field.
25
151.
Mr. Conklin is also deeply troubled by what may result from the collection,
26
maintenance, and dissemination in a national database of a report describing him as engaging in
27
suspicious activity with a potential nexus to terrorism.
28
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
33
1
152.
Mr. Conklin currently worries about being on a watchlist because he fears it will
2
adversely impact him in the future. For example, he is concerned about his employment
3
prospects if employers conduct background checks and he is flagged as someone with a potential
4
connection to terrorism. Mr. Conklin also currently worries about being on a watchlist because
5
he fears it will adversely impact his family. His father has worked and is seeking employment in
6
the aviation industry and as a result must undergo rigorous background checks; Mr. Conklin is
7
afraid about jeopardizing his father’s career based on his own innocent efforts to take
8
photographs of aesthetically interesting sites.
FIRST CLAIM FOR RELIEF
9
10
11
Violation of APA by Defendants DOJ and Eric Holder for
Agency Action that is Arbitrary and Capricious and Not in Accordance with Law
5 U.S.C. §§ 702, 706(2)(A)
153.
Plaintiffs incorporate by reference all preceding paragraphs as if fully set forth
154.
DOJ’s promulgation of DOJ’s SAR Standard constitutes final agency action.
155.
DOJ and Eric Holder have issued a SAR Standard that sets forth operating
12
herein.
13
14
15
principles for the collection, maintenance, and dissemination of “criminal intelligence
16
information” within the meaning of 28 CFR Part 23. It applies to entities that operate
17
arrangements, equipment, facilities, and procedures used for the receipt, storage, interagency
18
exchange or dissemination and analysis of criminal intelligence information. These entities and
19
the systems they operate receive support from OJP and constitute “projects” and “criminal
20
intelligence systems” within the meaning of 28 CFR Part 23.
21
156.
Because DOJ’s SAR standard is broader than 28 CFR Part 23 and authorizes the
22
collection, maintenance, and dissemination of information even in the absence of reasonable
23
suspicion of criminal activity, it conflicts with 28 CFR Part 23. DOJ has also undermined 28
24
CFR Part 23 by training participants in the NSI on DOJ’s SAR Standard.
25
157.
Defendants DOJ and Eric Holder have not provided a reasoned basis for adopting
26
a conflicting standard.
27
158.
Defendants’ actions described herein were and are arbitrary, capricious, an
28
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
34
1
abuse of discretion, and otherwise not in accordance with law, and should be set aside as
2
unlawful pursuant to 5 U.S.C. § 706 (2012).
3
SECOND CLAIM FOR RELIEF
4
Violation of APA by Defendants PM-ISE and Kshemendra Paul for
Agency Action that is Arbitrary and Capricious and Not in Accordance with Law
5 U.S.C. §§ 702, 706(2)(A)
5
6
7
159.
160.
PM-ISE’s promulgation of Functional Standard 1.5 constitutes final agency
161.
PM-ISE and Kshemendra Paul have issued a SAR Standard that sets forth
herein.
8
9
Plaintiffs incorporate by reference all preceding paragraphs as if fully set forth
action.
10
11
operating principles for the collection, maintenance, and dissemination of “criminal intelligence
12
information” within the meaning of 28 CFR Part 23. It applies to entities that operate
13
arrangements, equipment, facilities, and procedures used for the receipt, storage, interagency
14
exchange or dissemination and analysis of criminal intelligence information. These entities and
15
the systems they operate receive support from OJP and constitute “projects” and “criminal
16
intelligence systems” within the meaning of 28 CFR Part 23.
17
162.
Because Functional Standard 1.5 is broader than 28 CFR Part 23 and authorizes
18
the collection, maintenance, and dissemination of information even in the absence of reasonable
19
suspicion of criminal activity, it conflicts with 28 CFR Part 23. PM-ISE has also undermined 28
20
CFR Part 23 by training participants in the NSI on Functional Standard 1.5.
21
22
163.
Defendants PM-ISE and Kshemendra Paul have not provided a reasoned basis for
adopting a conflicting standard.
23
164.
Defendants’ actions described herein were and are arbitrary, capricious, an
24
abuse of discretion, otherwise not in accordance with law and should be set aside as unlawful
25
pursuant to 5 U.S.C. § 706 (2012).
26
//
27
//
28
//
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
35
1
THIRD CLAIM FOR RELIEF
2
Violation of APA by Defendants DOJ and Eric Holder
for Issuance of a Legislative Rule Without Notice and Comment
5 U.S.C. §§ 553, 706(2)(A), (D)
3
4
5
165.
Plaintiffs incorporate by reference all preceding paragraphs as if fully set forth
166.
DOJ’s SAR’s Standard is a legislative rule but was adopted without observing the
herein.
6
7
notice and comment procedure required under 5 U.S.C. § 553 (2012). Because DOJ’s SAR
8
Standard was adopted without observing the required notice and comment procedure,
9
Defendants’ actions described herein were and are also arbitrary, capricious, an abuse of
10
discretion, otherwise not in accordance with law, and without observance of procedure required
11
by law. Defendants’ actions should be set aside as unlawful pursuant to 5 U.S.C. § 706 (2012).
12
FOURTH CLAIM FOR RELIEF
13
Violation of APA by Defendants PM-ISE and Kshemendra Paul
for Issuance of a Legislative Rule Without Notice and Comment
5 U.S.C. §§ 553, 706(2)(A), (D)
14
15
16
17
167.
Plaintiffs incorporate by reference all preceding paragraphs as if fully set forth
168.
PM-ISE’s Functional Standard 1.5 is a legislative rule but was adopted without
herein.
18
observing the notice and comment procedure required under 5 U.S.C. § 553 (2012). Because
19
PM-ISE’s Functional Standard 1.5 was adopted without observing the required notice and
20
comment procedure, Defendants’ actions described herein were and are also arbitrary,
21
capricious, an abuse of discretion, otherwise not in accordance with law, and without observance
22
of procedure required by law. Defendants’ actions should be set aside as unlawful pursuant to 5
23
U.S.C. § 706 (2012).
24
PRAYER FOR RELIEF
25
WHEREFORE, Plaintiffs pray that the Court:
26
1.
Enter a declaratory judgment that DOJ’s standard for SAR reporting is invalid and
27
issue a permanent injunction requiring Defendants DOJ and Eric Holder to rescind DOJ’s SAR
28
Standard and cease and desist from training participants in the NSI in DOJ’s SAR Standard.
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
36
1
2.
Enter a declaratory judgment that Functional Standard 1.5 is invalid and issue a
2
permanent injunction requiring Defendants PM-ISE and KSHEMENDRA PAUL to rescind
3
Functional Standard 1.5 and cease and desist from training participants in the NSI in Functional
4
Standard 1.5.
5
3.
6
reporting.
7
4.
8
9
10
11
Enter a declaratory judgment that 28 CFR Part 23 sets forth the standard for SAR
Enter a permanent injunction requiring Defendants to use 28 CFR Part 23 as the
standard for SAR reporting.
5.
Award Plaintiffs their costs and expenses, including reasonable attorneys’ fees
and expert witness fees; and
6.
Award such further and additional relief as is just and proper.
12
13
14
15
16
17
18
19
20
21
22
23
24
Respectfully submitted,
DATED: July 10, 2014
BINGHAM MCCUTCHEN LLP
Jonathan Loeb (SBN 162758)
jon.loeb@bingham.com
Jeffrey Rosenfeld (SBN 221625)
jeffrey.rosenfeld@bingham.com
Edward Andrews (SBN 268479)
edward.andrews@bingham.com
The Water Garden
Suite 2050 North
1601 Cloverfield Boulevard
Santa Monica, CA 90404-4082
Telephone: 310-907-1000
Facsimile: 310-907-2000
BINGHAM MCCUTCHEN LLP
Stephen Scotch-Marmo (pro hac vice pending)
stephen.scotch-marmo@bingham.com
Michael James Ableson (pro hac vice pending)
michael.ableson@bingham.com
399 Park Avenue
New York, NY 10022-4689
Telephone: 212-705-7000
Facsimile: 212-752-5378
25
26
27
28
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
37
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
AMERICAN CIVIL LIBERTIES UNION
FOUNDATION OF NORTHERN CALIFORNIA
Linda Lye (SBN 215584)
llye@aclunc.org
Julia Harumi Mass (SBN 189649)
jmass@aclunc.org
39 Drumm Street
San Francisco, CA 94111
Telephone: 415-621-2493
Facsimile: 415-255-8437
ASIAN AMERICANS ADVANCING
JUSTICE - ASIAN LAW CAUCUS
Nasrina Bargzie (SBN 238917)
nasrinab@advancingjustice-alc.org
Yaman Salahi (SBN 288752)
yamans@advancingjustice-alc.org
55 Columbus Avenue
San Francisco, CA 94111
Telephone: 415-848-7711
Facsimile: 415-896-1702
AMERICAN CIVIL LIBERTIES UNION
FOUNDATION
Hina Shamsi (pro hac vice pending)
hshamsi@aclu.org
Hugh Handeyside (pro hac vice pending)
hhandeyside@aclu.org
125 Broad Street
New York, NY 10004
Telephone: 212-549-2500
Facsimile: 212-549-2654
AMERICAN CIVIL LIBERTIES UNION
FOUNDATION OF SAN DIEGO AND IMPERIAL
COUNTIES
Mitra Ebadolahi (SBN 275157)
mebadolahi@aclusandiego.org
P.O. Box 87131
San Diego, CA 92138
Telephone: (619) 232-2121
Facsimile: (619) 232-0036
AMERICAN CIVIL LIBERTIES UNION
FOUNDATION OF SOUTHERN CALIFORNIA
Peter Bibring (SBN 223981)
pbibring@aclusocal.org
1313 West 8th Street
Los Angeles, CA 90017
Telephone: (213) 977-9500
Facsimile: (213) 977-5299
27
28
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
38
1
2
3
4
5
6
7
By:___________/s/ Jonathan Loeb__________
Jonathan Loeb
BINGHAM MCCUTCHEN LLP
By:___________/s/ Linda Lye______________
Linda Lye
AMERICAN CIVIL LIBERTIES UNION
FOUNDATION OF NORTHERN CALIFORNIA
8
By:___________/s/ Nasrina Bargzie__________
9
Nasrina Bargzie
10
ASIAN AMERICANS ADVANCING JUSTICE –
ASIAN LAW CAUCUS
11
12
13
Attorneys for Plaintiffs Wiley Gill, James Prigoff,
Tariq Razak, Khaled Ibrahim, and Aaron Conklin
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
39
1
2
3
4
5
DECLARATION PURSUANT TO LOCAL RULE 5-1(i)(3)
Pursuant to Local Rule 5-1(i)(3), the undersigned filer declares that concurrence in the
filing of this document has been obtained from the other signatories to this document.
I declare under penalty of perjury under the laws of the United States that the foregoing is
true and correct. Executed this 10th day of July 2013.
6
7
_________/s/ Jonathan Loeb______
8
Jonathan Loeb
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF
40
Exhibit A
Exhibit A - Page 41
Exhibit A - Page 42
Exhibit A - Page 43
Exhibit B
Exhibit B - Page 44
Exhibit B - Page 45
Exhibit B - Page 46
Exhibit B - Page 47
Exhibit C
Exhibit C - Page 48
Exhibit C - Page 49
Exhibit C - Page 50
Exhibit C - Page 51
Exhibit D
Exhibit D - Page 52
UNCLASSIFIED
ISE-FS-200
INFORMATION SHARING ENVIRONMENT (ISE)
FUNCTIONAL STANDARD (FS)
SUSPICIOUS ACTIVITY REPORTING (SAR)
VERSION 1.5
1. Authority. Homeland Security Act of 2002, as amended; The Intelligence Reform and
Terrorism Prevention Act of 2004 (IRTPA), as amended; Presidential Memorandum dated
April 10, 2007 (Assignment of Functions Relating to the Information Sharing Environment);
Presidential Memorandum dated December 16, 2005 (Guidelines and Requirements in Support
of the Information Sharing Environment); DNI memorandum dated May 2, 2007 (Program
Manager’s Responsibilities); Executive Order 13388; and other applicable provisions of law,
regulation, or policy.
2. Purpose. This issuance serves as the updated Functional Standard for ISE-SARs, and one of a
series of Common Terrorism Information Sharing Standards (CTISS) issued by the PM-ISE.
While limited to describing the ISE-SAR process and associated information exchanges,
information from this process may support other ISE processes to include alerts, warnings, and
notifications, situational awareness reporting, and terrorist watchlisting.
3. Applicability. This ISE-FS applies to all departments or agencies that possess or use terrorism
or homeland security information, operate systems that support or interface with the ISE, or
otherwise participate (or expect to participate) in the ISE, as specified in Section 1016(i) of the
IRTPA.
4. References. ISE Implementation Plan, November 2006; ISE Enterprise Architecture
Framework (EAF), Version 2.0, September 2008; Initial Privacy and Civil Liberties Analysis for
the Information Sharing Environment, Version 1.0, September 2008; ISE-AM-300: Common
Terrorism Information Standards Program, October 31, 2007; Common Terrorism Information
Sharing Standards Program Manual, Version 1.0, October 2007; National Information Exchange
Model, Concept of Operations, Version 0.5, January 9, 2007; 28 Code of Federal Regulations
(CFR) Part 23; Executive Order 13292 (Further Amendment to Executive Order 12958, as
Amended, Classified National Security Information); Nationwide Suspicious Activity Reporting
Concept of Operations, December 2008; ISE Suspicious Activity Reporting Evaluation
Environment (EE) Segment Architecture, December 2008.
5. Definitions.
a. Artifact: Detailed mission product documentation addressing information exchanges and
data elements for ISE-SAR (data models, schemas, structures, etc.).
1
Exhibit D - Page 53
UNCLASSIFIED
ISE-FS-200
b. CTISS: Business process-driven, performance-based “common standards” for preparing
terrorism information for maximum distribution and access, to enable the acquisition,
access, retention, production, use, management, and sharing of terrorism information
within the ISE. CTISS, such as this ISE-SAR Functional Standard, are implemented in
ISE participant infrastructures that include ISE Shared Spaces as described in the ISE
EAF. Two categories of common standards are formally identified under CTISS:
(1) Functional Standards – set forth rules, conditions, guidelines, and characteristics of
data and mission products supporting ISE business process areas.
(2) Technical Standards – document specific technical methodologies and practices to
design and implement information sharing capability into ISE systems.
c. Information Exchange: The transfer of information from one organization to another
organization, in accordance with CTISS defined processes.
d. ISE-Suspicious Activity Report (ISE-SAR): An ISE-SAR is a SAR (as defined below in
5i) that has been determined, pursuant to a two-part process, to have a potential terrorism
nexus (i.e., to be reasonably indicative of criminal activity associated with terrorism).
ISE-SAR business, privacy, and civil liberties rules will serve as a unified process to
support the reporting, tracking, processing, storage, and retrieval of terrorism-related
suspicious activity reports across the ISE.
e. National Information Exchange Model (NIEM): A joint technical and functional
standards program initiated by the Department of Homeland Security (DHS) and the
Department of Justice (DOJ) that supports national-level interoperable information
sharing.
f. Personal Information: Information that may be used to identify an individual (i.e., data
elements in the identified “privacy fields” of this ISE-SAR Functional Standard).
g. Privacy Field: A data element that may be used to identify an individual and, therefore,
may be subject to privacy protection.
h. Suspicious Activity: Observed behavior reasonably indicative of pre-operational planning
related to terrorism or other criminal activity.
i. Suspicious Activity Report (SAR): Official documentation of observed behavior
reasonably indicative of pre-operational planning related to terrorism or other criminal
activity.
j. Universal Core (UCore): An interagency information exchange specification and
implementation profile. It provides a framework for sharing the most commonly used
data concepts of “who, what when, and where”. UCore serves as a starting point for data
level integration and permits the development of richer domain specific exchanges.
UCore was developed in concert with NIEM program office, and is a collaborative effort
between Department of Defense (DOD), DOJ, DHS and the Intelligence Community.
2
Exhibit D - Page 54
UNCLASSIFIED
ISE-FS-200
6. Guidance. This Functional Standard is hereby established as the nationwide ISE Functional
Standard for ISE-SARs. It is based on documented information exchanges and business
requirements, and describes the structure, content, and products associated with processing,
integrating, and retrieving ISE-SARs by ISE participants.
7. Responsibilities.
a. The PM-ISE, in consultation with the Information Sharing Council (ISC), will:
(1) Maintain and administer this ISE-SAR Functional Standard, to include:
(a) Updating the business process and information flows for ISE-SAR.
(b) Updating data elements and product definitions for ISE-SAR.
(2) Publish and maintain configuration management of this ISE-SAR Functional
Standard.
(3) Assist with the development of ISE-SAR implementation guidance and governance
structure, as appropriate, to address privacy, civil rights, and civil liberties, policy,
architecture, and legal issues.
(4) Work with ISE participants, through the CTISS Committee, to develop a new or
modified ISE-SAR Functional Standard, as needed.
(5) Coordinate, publish, and monitor implementation and use of this ISE-SAR Functional
Standard, and coordinate with the White House Office of Science and Technology
Policy and with the National Institute of Standards and Technology (in the
Department of Commerce) for broader publication, as appropriate.
b. Each ISC member and other affected organizations shall:
(1) Propose modifications to the PM-ISE for this Functional Standard, as appropriate.
(2) As appropriate, incorporate this ISE-SAR Functional Standard, and any subsequent
implementation guidance, into budget activities associated with relevant current
(operational) mission specific programs, systems, or initiatives (e.g. operations and
maintenance {O&M} or enhancements).
(3) As appropriate, incorporate this ISE-SAR Functional Standard, and any subsequent
implementation guidance, into budget activities associated with future or new
development efforts for relevant mission specific programs, systems, or initiatives
(e.g. development, modernization, or enhancement {DME}).
(4) Ensure incorporation of this ISE-SAR Functional Standard, as set forth in 7.b (2) or
7.b (3) above, is done in compliance with ISE Privacy Guidelines and any additional
guidance provided by the ISE Privacy Guidelines Committee.
3
Exhibit D - Page 55
UNCLASSIFIED
ISE-FS-200
8. Effective Date and Expiration. This ISE-FS is effective immediately and will remain in effect
as the updated ISE-SAR Functional Standard until further updated, superseded, or cancelled.
__________________________________
Program Manager for the
Information Sharing Environment
Date: May 21, 2009
4
Exhibit D - Page 56
UNCLASSIFIED
ISE-FS-200
PART A – ISE-SAR FUNCTIONAL STANDARD ELEMENTS
SECTION I – DOCUMENT OVERVIEW
A. List of ISE-SAR Functional Standard Technical Artifacts
The full ISE-SAR information exchange contains five types of supporting technical artifacts.
This documentation provides details of implementation processes and other relevant reference
materials. A synopsis of the ISE-SAR Functional Standard technical artifacts is contained in
Table 1 below.
Table 1 – Functional Standard Technical Artifacts 1
Artifact Type
Development and
Implementation Tools
Artifact
Artifact Description
This spreadsheet captures the ISE-SAR information
exchange class and data element (source) definitions
and relates each data element to corresponding
National Information Exchange Model (NIEM)
Extensible Mark-Up Language (XML) elements and
UCore elements, as appropriate.
2. NIEM Wantlist
The Wantlist is an XML file that lists the elements
selected from the NIEM data model for inclusion in the
Schema Subset. The Schema Subset is a compliant
version to both programs that has been reduced to only
those elements actually used in the ISE-SAR document
schema.
3. XML Schemas
The XML Schema provides a technical representation
of the business data requirements. They are a machine
readable definition of the structure of an ISE-SARbased XML Message.
4. XML Sample Instance
The XML Sample Instance is a sample document that
has been formatted to comply with the structures
defined in the XML Schema. It provides the developer
with an example of how the ISE-SAR schema is
intended to be used.
5. Codified Data Field Values
1
1. Component Mapping
Template (CMT)
(SAR-to-NIEM/UCore)
Listings, descriptions, and sources as prescribed by
data fields in the ISE-SAR Functional Standard.
Development and implementation tools may be accessible through www.ise.gov. Additionally, updated versions of this
Functional Standard will incorporate the CTISS Universal Core which harmonizes the NIEM Universal Core with the DoD/IC
UCore.
5
Exhibit D - Page 57
UNCLASSIFIED
ISE-FS-200
SECTION II – SUSPICIOUS ACTIVITY REPORTING EXCHANGES
A. ISE-SAR Purpose
This ISE-SAR Functional Standard is designed to support the sharing, throughout the
Information Sharing Environment (ISE), of information about suspicious activity, incidents, or
behavior (hereafter collectively referred to as suspicious activity or activities) that have a
potential terrorism nexus. The ISE includes State and major urban area fusion centers and their
law enforcement, 2 homeland security, 3 or other information sharing partners at the Federal, State,
local, and tribal levels to the full extent permitted by law. In addition to providing specific
indications about possible terrorism-related crimes, ISE-SARs can be used to look for patterns
and trends by analyzing information at a broader level than would typically be recognized within
a single jurisdiction, State, or territory. Standardized and consistent sharing of suspicious activity
information regarding criminal activity among State and major urban area fusion centers and
Federal agencies is vital to assessing, deterring, preventing, or prosecuting those involved in
criminal activities associated with terrorism. This ISE-SAR Functional Standard has been
designed to incorporate key elements that describe potential criminal activity associated with
terrorism and may be used by other communities to address other types of criminal activities
where appropriate.
B. ISE-SAR Scope
Suspicious activity is defined as observed behavior reasonably indicative of pre-operational
planning related to terrorism or other criminal activity. A determination that such suspicious
activity constitutes an ISE-SAR is made as part of a two-part process by trained analysts using
explicit criteria. Some examples of the criteria for identifying those SARs, with defined
relationships to criminal activity that also have a potential terrorism nexus, are listed below. Part
B (ISE-SAR Criteria Guidance) provides a more thorough explanation of ISE-SAR criteria,
highlighting the importance of context in interpreting such behaviors;
• Expressed or implied threat
• Theft/loss/diversion
• Site breach or physical intrusion
• Cyber attacks
• Probing of security response
2
3
All references to Federal, State, local and tribal law enforcement are intended to encompass civilian law enforcement, military
police, and other security professionals.
All references to homeland security are intended to encompass public safety, emergency management, and other officials who
routinely participate in the State or major urban area’s homeland security preparedness activities.
6
Exhibit D - Page 58
UNCLASSIFIED
ISE-FS-200
It is important to stress that this behavior-focused approach to identifying suspicious activity
requires that factors such as race, ethnicity, national origin, or religious affiliation should not be
considered as factors that create suspicion (except if used as part of a specific suspect
description). It is also important to recognize that many terrorism activities are now being funded
via local or regional criminal organizations whose direct association with terrorism may be
tenuous. This places law enforcement and homeland security professionals in the unique, yet
demanding, position of identifying suspicious activities or materials as a byproduct or secondary
element in a criminal enforcement or investigation activity. This means that, while some ISESARs may document activities or incidents to which local agencies have already responded,
there is value in sharing them more broadly to facilitate aggregate trending or analysis.
Suspicious Activity Reports are not intended to be used to track or record ongoing enforcement,
intelligence, or investigatory operations although they can provide information to these activities.
The ISE-SAR effort offers a standardized means for sharing information regarding behavior
potentially related to terrorism-related criminal activity and applying data analysis tools to the
information. Any patterns identified during ISE-SAR data analysis may be investigated in
cooperation with the reporting agency, Joint Terrorism Task Force (JTTF), or the State or major
urban area fusion center in accordance with departmental policies and procedures. Moreover, the
same constitutional standards that apply when conducting ordinary criminal investigations also
apply to local law enforcement and homeland security officers conducting SAR inquiries. This
means, for example, that constitutional protections and agency policies and procedures that apply
to a law enforcement officer’s authority to stop, stop and frisk (“Terry Stop”) 4 , request
identification, or detain and question an individual would apply in the same measure whether or
not the observed behavior related to terrorism or any other criminal activity.
C. Overview of Nationwide SAR Cycle
As defined in the Nationwide Suspicious Activity Reporting Initiative (NSI) Concept of
Operations (CONOPS 5 ) and shown in Figure 1, the nationwide SAR process involves a total of
12 discrete steps that are grouped under five standardized business process activities – Planning,
Gathering and Processing, Analysis and Production, Dissemination, and Reevaluation. The toplevel ISE-SAR business process described in this section has been revised to be consistent with
the description in the NSI CONOPS. Consequently, the numbered steps in Figure 1 are the only
ones that map directly to the nine-steps of the detailed information flow for nationwide SAR
information sharing documented in Part C of this version of the ISE-SAR Functional Standard.
For further detail on the 12 NSI steps, please refer to the NSI CONOPS.
4
5
“Terry Stop” refers to law enforcement circumstances related to Supreme Court of the United States ruling on “Terry v. Ohio
(No. 67)” argued on December 12, 1967 and decided on June 10, 1968. This case allows a law enforcement officer to
articulate reasonable suspicion as a result of a totality of circumstances (to include training and experience) and take action to
frisk an individual for weapons that may endanger the officer. The Opinion of the Supreme Court regarding this case may be
found at Internet site http://www.law.cornell.edu/supct/html/historics/USSC_CR_0392_0001_ZO.html.
PM-ISE, Nationwide SAR Initiative Concept of Operations (Washington: PM-ISE, 2008), available from www.ise.gov.
7
Exhibit D - Page 59
UNCLASSIFIED
ISE-FS-200
Federal agencies
produce and make
available information
products to support
the development of
geographic risk
assessments by state
and major urban area
fusion centers
National
coordinated
information
needs on
annual and
ad hoc basis
8
7
State and major
urban area
fusion centers,
in coordination
with local-Feds,
develop risk
assessments
State and major
urban area fusion
centers, in
coordination with
local-Feds, develop
information needs
based on risk
assessment
Front line LE
personnel (FSLT)
trained to recognize
behavior and
incidents indicative of
criminal activity
associated with
terrorism; Community
outreach plan
implemented
9
Observation and
reporting of
behaviors and
incidents by trained
LE personnel during Supervisory review
their routine activity of the report in
accordance with
departmental policy
1
2
Nationwide SAR Cycle
6
5
Authorized ISE
participants
access and
retrieve ISE-SAR
ISE-SAR
posted in an
ISE Shared
Space
3
4
Determination and
documentation of
an ISE-SAR
At fusion center or JTTF,
a trained analyst or LE officer
determines, based on
information available,
knowledge, experience, and
personal judgment, whether
the information meeting the
ISE-SAR criteria may have a
terrorism nexus
SAR made
available to
fusion center
and/or JTTF
In major cities,
SAR reviewed by
trained CT expert
Suspicious Activity Processing Steps
Planning
Gathering and Processing
Analysis and Production
Dissemination
Reevaluation
Figure 1. Overview of Nationwide SAR Process
D. ISE-SAR Top-Level Business Process
1. Planning
The activities in the planning phase of the NSI cycle, while integral to the overall NSI, are
not discussed further in this Functional Standard. See the NSI CONOPS for more details. 6
2. Gathering and Processing
Local law enforcement agencies or field elements of Federal agencies gather and document
suspicious activity information in support of their responsibilities to investigate potential
criminal activity, protect citizens, apprehend and prosecute criminals, and prevent crime.
Information acquisition begins with an observation or report of unusual or suspicious
behavior that may be indicative of criminal activity associated with terrorism. Such activities
include, but are not limited to, theft, loss, or diversion, site breach or physical intrusion,
cyber attacks, possible testing of physical response, or other unusual behavior or sector
specific incidents. It is important to emphasize that context is an essential element of
interpreting the relevance of such behaviors to criminal activity associated with terrorism.
(See Part B for more details.)
6
Ibid., 17-18.
8
Exhibit D - Page 60
UNCLASSIFIED
ISE-FS-200
Regardless of whether the initial observer is a private citizen, a representative of a private
sector partner, a government official, or a law enforcement officer, suspicious activity is
eventually reported to either a local law enforcement agency or a local, regional, or national
office of a Federal agency. When the initial investigation or fact gathering is completed, the
investigating official documents the event in accordance with agency policy, local
ordinances, and State and Federal laws and regulations.
The information is reviewed within a local or Federal agency by appropriately designated
officials for linkages to other suspicious or criminal activity in accordance with departmental
policy and procedures. 7 Although there is always some level of local review, the degree
varies from agency to agency. Smaller agencies may forward most SARs directly to the State
or major urban area fusion center or JTTF with minimal local processing. Major cities, on the
other hand, may have trained counterterrorism experts on staff that apply a more rigorous
analytic review of the initial reports and filter out those that can be determined not to have a
potential terrorism nexus.
After appropriate local processing, agencies make SARs available to the relevant State or
major urban area fusion center. Field components of Federal agencies forward their reports to
the appropriate regional, district, or headquarters office employing processes that vary from
agency to agency. Depending on the nature of the activity, the information could cross the
threshold of “suspicious” and move immediately into law enforcement operations channels
for follow-on action against the identified terrorist activity. In those cases where the local
agency can determine that an activity has a direct connection to criminal activity associated
with terrorism, it will provide the information directly to the responsible JTTF for use as the
basis for an assessment or investigation of a terrorism-related crime as appropriate.
3. Analysis and Production
The fusion center or Federal agency enters the SAR into its local information system and
then performs an additional analytic review to establish or discount a potential terrorism
nexus. First, an analyst or law enforcement officer reviews the newly reported information
against ISE-SAR criteria outlined in Part B of this ISE-SAR Functional Standard. Second,
the Terrorist Screening Center (TSC) should be contacted to determine if there is valuable
information in the Terrorist Screening Database. Third, he or she will review the input
against all available knowledge and information for linkages to other suspicious or criminal
activity.
Based on this review, the officer or analyst will apply his or her professional judgment to
determine whether the information has a potential nexus to terrorism. If the officer or analyst
cannot make this explicit determination, the report will not be accessible by the ISE, although
7
If appropriate, the agency may consult with a Joint Terrorism Task Force, Field Intelligence Group, or fusion center.
9
Exhibit D - Page 61
UNCLASSIFIED
ISE-FS-200
it may be retained in local fusion center or Federal agency files in accordance with
established retention policies and business rules. 8
4. Dissemination
Once the determination of a potential terrorism nexus is made, the information becomes an
ISE-SAR and is formatted in accordance with the ISE-SAR Information Exchange Package
Document (IEPD) format described in Sections III and IV. This ISE-SAR is then stored in
the fusion center, JTTF, or other Federal agency’s ISE Shared Space 9 where it can be
accessed by authorized law enforcement and homeland security personnel in the State or
major urban area fusion center’s area of responsibility as well as other ISE participants,
including JTTFs. This allows the fusion center to be cognizant of all terrorist-related
suspicious activity in its area of responsibility, consistent with the information flow
description in Part C. Although the information in ISE Shared Spaces is accessible by other
ISE participants, it remains under the control of the submitting organization, i.e., the fusion
center or Federal agency that made the initial determination that the activity constituted an
ISE-SAR.
By this stage of the process, all initially reported SARs have been through multiple levels of
review by trained personnel and, to the maximum extent possible, those reports without a
potential terrorism nexus have been filtered out. Those reports posted in ISE Shared Spaces,
therefore, can be presumed by Federal, State, and local analytic personnel to be terrorismrelated and information derived from them can be used along with other sources to support
counterterrorism operations or develop counterterrorism analytic products. As in any analytic
process, however, all information is subject to further review and validation, and analysts
must coordinate with the submitting organization to ensure that the information is still valid
and obtain any available relevant supplementary material before incorporating it into an
analytic product.
Once ISE-SARs are accessible, they can be used to support a range of counterterrorism
analytic and operational activities. This step involves the actions necessary to integrate ISESAR information into existing counterterrorism analytic and operational processes, including
efforts to “connect the dots,” identify information gaps, and develop formal analytic
products. Depending on privacy policy and procedures established for the NSI as a whole or
by agencies responsible for individual ISE Shared Spaces, requestors may only be able to
view reports in the Summary ISE-SAR Information format, i.e., without privacy fields. In
these cases, requestors should contact the submitting organization directly to discuss the
particular report more fully and obtain access, where appropriate, to the information in the
privacy fields.
8
As was already noted in the discussion of processing by local agencies, where the fusion center or Federal agency can
determine that an activity has a direct connection to a possible terrorism-related crime, it will provide the information directly to
the responsible JTTF for use as the basis for an assessment or investigation.
9
PM-ISE, ISE Enterprise Architecture Framework, Version 2.0, (Washington: PM-ISE, 2008), 61-63
10
Exhibit D - Page 62
UNCLASSIFIED
ISE-FS-200
5. Reevaluation 10
Operational feedback on the status of ISE-SARs is an essential element of an effective NSI
process with important implications for privacy and civil liberties. First of all, it is important
to notify source organizations when information they provide is designated as an ISE-SAR
by a submitting organization and made available for sharing—a form of positive feedback
that lets organizations know that their initial suspicions have some validity. Moreover, the
process must support notification of all ISE participants when further evidence determines
that an ISE-SAR was designated incorrectly so that the original information does not
continue to be used as the basis for analysis or action. This type of feedback can support
organizational redress processes and procedures where appropriate.
E. Broader ISE-SAR Applicability
Consistent with the ISE Privacy Guidelines and Presidential Guideline 2, and to the full extent
permitted by law, this ISE-SAR Functional Standard is designed to support the sharing of
unclassified information or sensitive but unclassified (SBU)/controlled unclassified information
(CUI) within the ISE. There is also a provision for using a data element indicator for designating
classified national security information as part of the ISE-SAR record, as necessary. This
condition could be required under special circumstances for protecting the context of the event,
or specifics or organizational associations of affected locations. The State or major urban area
fusion center shall act as the key conduit between the State, local, and tribal (SLT) agencies and
other ISE participants. It is also important to note that the ISE Shared Spaces implementation
concept is focused exclusively on terrorism-related information. However many SAR originators
and consumers have responsibilities beyond terrorist activities. Of special note, there is no
intention to modify or otherwise affect, through this ISE-SAR Functional Standard, the currently
supported or mandated direct interactions between State, local, and tribal law enforcement and
investigatory personnel and the Joint Terrorism Task Forces (JTTFs) or Field Intelligence
Groups (FIGs).
This ISE-SAR Functional Standard will be used as the ISE-SAR information exchange standard
for all ISE participants. Although the extensibility of this ISE-SAR Functional Standard does
support customization for unique communities, jurisdictions planning to modify this ISE-SAR
Functional Standard must carefully consider the consequences of customization. The PM-ISE
requests that modification follow a formal change request process through the ISE-SAR Steering
Committee and CTISS Committee under the Information Sharing Council, for both community
coordination and consideration. Furthermore, messages that do not conform to this Functional
Standard may not be consumable by the receiving organization and may require modifications by
the nonconforming organizations.
10
The Reevaluation Phase also encompasses the establishment of an integrated counterterrorism information needs process, a
process that does not relate directly to information exchanges through this standard. See page 23 of the NSI CONOPS for
more details.
11
Exhibit D - Page 63
UNCLASSIFIED
ISE-FS-200
F. Protecting Privacy
Laws that prohibit or otherwise limit the sharing of personal information vary considerably
between the Federal, State, local, and tribal levels. The Privacy Act of 1974 (5 USC §552a) as
amended, other statutes such as the E-Government Act, and many government-wide or
departmental regulations establish a framework and criteria for protecting information privacy in
the Federal Government. The ISE must facilitate the sharing of information in a lawful manner,
which by its nature must recognize, in addition to Federal statutes and regulations, different
State, local or tribal laws, regulations, or policies that affect privacy. One method for protecting
privacy while enabling the broadest possible sharing is to anonymize ISE-SAR reports by
excluding data elements that contain personal information. Accordingly, two different formats
are available for ISE-SAR information. The Detailed ISE-SAR IEPD format includes personal
information contained in the data fields set forth in Section IV of this ISE-SAR Functional
Standard (“ISE-SAR Exchange Data Model”), including “privacy fields” denoted as containing
personal information. If an ISE participant is not authorized to disseminate personal information
from an ISE Shared Space (e.g., the requester site does not have a compliant privacy policy) or
the SAR does not evidence the necessary nexus to terrorism-related crime (as required by this
ISE-SAR Functional Standard), information from the privacy fields will not be loaded into the
responsive document (search results) from the ISE Shared Space. This personal information will
not be passed to the ISE participant. The Summary ISE-SAR Information format excludes
privacy fields or data elements identified in Section IV of this ISE-SAR Functional Standard as
containing personal information. Each ISE participant can exclude additional data elements from
the Summary ISE-SAR Information format in accordance with its own legal and policy
requirements. It is believed the data contained within a Summary ISE-SAR Information format
will support sufficient trending and pattern recognition to trigger further analysis and/or
investigation where additional information can be requested from the sending organization.
Because of variances of data expected within ISE-SAR exchanges, only the minimum elements
are considered mandatory. These are enumerated in the READ ME document in the technical
artifacts folder that is part of this ISE-SAR Functional Standard.
Currently, the privacy fields identified in the ISE-SAR exchange data model (Section IV, below)
are the minimum fields that should be removed from a Detailed ISE-SAR IEPD.
SECTION III – INFORMATION EXCHANGE DEVELOPMENT
This ISE-SAR Functional Standard is a collection of artifacts that support an implementer’s
creation of ISE-SAR information exchanges, whether Detailed ISE-SAR IEPD or Summary
ISE-SAR Information. The basic ISE-SAR information exchange is documented using five
unique artifacts giving implementers tangible products that can be leveraged for local
implementation. A domain model provides a graphical depiction of those data elements required
for implementing an exchange and the cardinality between those data elements. Second, a
Component Mapping Template is a spreadsheet that associates each required data element with
its corresponding XML data element. Third, information exchanges include the schemas which
consist of a document, extension, and constraint schema. Fourth, at least one sample XML
Instance and associated style-sheet is included to help practitioners validate the model, mapping,
12
Exhibit D - Page 64
UNCLASSIFIED
ISE-FS-200
and schemas in a more intuitive way. Fifth, a codified data field values listing provides listings,
descriptions, and sources as prescribed by the data fields.
SECTION IV – ISE-SAR EXCHANGE DATA MODEL
A. Summary of Elements
This section contains a full inventory of all ISE-SAR information exchange data classes,
elements, and definitions. Items and definitions contained in cells with a light purple background
are data classes, while items and definition contained in cells with a white background are data
elements. A wider representation of data class and element mappings to source (ISE-SAR
information exchange) and target is contained in the Component Mapping Template located in
the technical artifacts folder.
Cardinality between objects in the model is indicated on the line in the domain model (see
Section 5A). Cardinality indicates how many times an entity can occur in the model. For
example, Vehicle, Vessel, and Aircraft all have cardinality of 0..n. This means that they are
optional, but may occur multiple times if multiple suspect vehicles are identified.
Clarification of Organizations used in the exchange:
• The Source Organization is the agency or entity that originates the SAR report (examples
include a local police department, a private security firm handling security for a power
plant, and a security force at a military installation). The Source Organization will not
change throughout the life of the SAR.
• The Submitting Organization is the organization providing the ISE-SAR to the
community through their ISE Shared Space. The Submitting Organization and the Source
Organization may be the same.
• The Owning Organization is the organization that owns the target associated with the
suspicious activity.
Table 2 – ISE-SAR Information Exchange Data Classes, Elements, and Definitions
Privacy
Field
Source Class/Element
Source Definition
Aircraft
Aircraft Engine Quantity
A code identifying a color of a fuselage of an aircraft.
Aircraft Wing Color
X
The number of engines on an observed aircraft.
Aircraft Fuselage Color
A code identifying a color of a wing of an aircraft.
Aircraft ID
A unique identifier assigned to the aircraft by the observing
organization—used for referencing. *If this identifier can be used to
identify a specific aircraft, for instance, by using the aircraft tail
number, then this element is a privacy field. [free text field]
Aircraft Make Code
A code identifying a manufacturer of an aircraft.
Aircraft Model Code
A code identifying a specific design or type of aircraft made by a
manufacturer.
13
Exhibit D - Page 65
UNCLASSIFIED
ISE-FS-200
Privacy
Field
Source Class/Element
Source Definition
Aircraft Style Code
X
A code identifying a style of an aircraft.
Aircraft Tail Number
An aircraft identification number prominently displayed at various
locations on an aircraft, such as on the tail and along the fuselage.
[free text field]
Attachment
Attachment Type Text
Describes the type of attachment (e.g., surveillance video, mug
shot, evidence). [free text field]
Binary Image
Binary encoding of the attachment.
Capture Date
The date that the attachment was created.
Description Text
Text description of the attachment. [free text field]
Format Type Text
Format of attachment (e.g., mpeg, jpg, avi). [free text field]
Attachment URI
Uniform Resource Identifier (URI) for the attachment. Used to
match the attachment link to the attachment itself. Standard
representation type that can be used for Uniform Resource
Locators (URLs) and Uniform Resource Names (URNs).
Attachment Privacy Field
Indicator
Identifies whether the binary attachment contains information that
may be used to identify an individual.
Contact Information
Person First Name
Person to contact at the organization.
Person Last Name
Person to contact at the organization.
E-Mail Address
An email address of a person or organization. [free text field]
Full Telephone Number
A full length telephone identifier representing the digits to be dialed
to reach a specific telephone instrument. [free text field]
Driver License
X
The month, date, and year that the document expires.
The year the document expires.
Issuing Authority Text
X
Expiration Date
Expiration Year
Code identifying the organization that issued the driver license
assigned to the person. Examples include Department of Motor
Vehicles, Department of Public Safety and Department of Highway
Safety and Motor Vehicles. [free text field]
Driver License Number
A driver license identifier or driver license permit identifier of the
observer or observed person of interest involved with the
suspicious activity. [free text field]
Follow-Up Action
Activity Date
Date that the follow-up activity started.
Activity Time
Time that the follow up activity started.
Assigned By Text
Organizational identifier that describes the organization performing
a follow-up activity. This is designed to keep all parties interested
in a particular ISE-SAR informed of concurrent investigations. [free
text field]
Assigned To Text
Text describing the person or sub-organization that will be
performing the designated action. [free text field]
Disposition Text
Description of disposition of suspicious activity investigation. [free
text field]
Status Text
Description of the state of follow-up activity. [free text field]
Location
14
Exhibit D - Page 66
UNCLASSIFIED
ISE-FS-200
Privacy
Field
X
Source Class/Element
Location Description
Source Definition
A description of a location where the suspicious activity occurred. If
the location is an address that is not broken into its component
parts (e.g., 1234 Main Street), this field may be used to store the
compound address. [free text field]
Location Address
Building Description
A complete reference that identifies a building. [free text field]
County Name
A name of a county, parish, or vicinage. [free text field]
Country Name
A country name or other identifier. [free text field]
Cross Street Description
A description of an intersecting street. [free text field]
Floor Identifier
A reference that identifies an actual level within a building. [free
text field]
ICAO Airfield Code for
Departure
An International Civil Aviation Organization (ICAO) airfield code for
departure, indicates aircraft, crew, passengers, and cargo-on
conveyance location information. [free text field]
ICAO Airfield Code for
Planned Destination
An airfield code for planned destination, indicates aircraft, crew,
passengers, and cargo on conveyance location information [free
text field]
ICAO for Actual Destination
An airfield code for actual destination. Indicates aircraft, crew,
passengers, and cargo on conveyance location information. [free
text field]
ICAO Airfield for Alternate
An airfield code for Alternate. Indicates aircraft, crew, passengers,
and cargo on conveyance location information. [free text field]
Mile Marker Text
Identifies the sequentially numbered marker on a roadside that is
closest to the intended location. Also known as milepost, or mile
post. [free text field]
Municipality Name
The zip code or postal code. [free text field]
State Name
Code identifying the state.
Street Name
X
The name of the city or town. [free text field]
Postal Code
A name that identifies a particular street. [free text field]
Street Number
A number that identifies a particular unit or location within a street.
[free text field]
Street Post Directional
A direction that appears before a street name. [free text field]
Street Type
X
A direction that appears after a street name. [free text field]
Street Pre Directional
A type of street, e.g., Street, Boulevard, Avenue, Highway. [free
text field]
Unit ID
A particular unit within the location. [free text field]
Location Coordinates
Altitude
Height above or below sea-level of a location.
Coordinate Datum
Coordinate system used for plotting location.
Latitude Degree
A value that specifies the degree of a latitude. The value comes
from a restricted range between -90 (inclusive) and +90 (inclusive).
Latitude Minute
A value that specifies a minute of a degree. The value comes from
a restricted range of 0 (inclusive) to 60 (exclusive).
Latitude Second
A value that specifies a second of a minute. The value comes from
a restricted range of 0 (inclusive) to 60 (exclusive).
15
Exhibit D - Page 67
UNCLASSIFIED
ISE-FS-200
Privacy
Field
Source Class/Element
Source Definition
Longitude Degree
A value that specifies the degree of a longitude. The value comes
from a restricted range between -180 (inclusive) and +180
(exclusive).
Longitude Minute
A value that specifies a minute of a degree. The value comes from
a restricted range of 0 (inclusive) to 60 (exclusive).
Longitude Second
A value that specifies a second of a minute. The value comes from
a restricted range of 0 (inclusive) to 60 (exclusive).
Conveyance track/intent
A direction by heading and speed or enroute route and/or waypoint
of conveyance [free text field]
Observer
Observer Type Text
X
Indicates the relative expertise of an observer to the suspicious
activity (e.g., professional observer versus layman). Example: a
security guard at a utility plant recording the activity, or a citizen
driving by viewing suspicious activity. [free text field]
Person Employer ID
Number assigned by an employer for a person such as badge
number. [free text field]
Owning Organization
Organization Item
Organization Description
A text description of organization that owns the target. The
description may indicate the type of organization such as State
Bureau of Investigation, Highway Patrol, etc. [free text field]
Organization ID
A federal tax identifier assigned to an organization. Sometimes
referred to as a Federal Employer Identification Number (FEIN), or
an Employer Identification Number (EIN). [free text field]
Organization Local ID
X
A name of an organization that owns the target. [free text field]
An identifier assigned on a local level to an organization. [free text
field]
Other Identifier
X
Person Identification Number
(PID)
An identifying number assigned to the person, e.g., military serial
numbers. [free text field]
X
PID Effective Date
The month, date, and year that the PID number became active or
accurate.
PID Effective Year
The year that the PID number became active or accurate.
PID Expiration Date
The month, date, and year that the PID number expires.
X
PID Expiration Year
The year that the PID number expires.
PID Issuing Authority Text
The issuing authority of the identifier. This may be a State, military
organization, etc.
PID Type Code
Code identifying the type of identifier assigned to the person. [free
text field]
Passport
X
X
Passport ID
Document Unique Identifier. [free text field]
Expiration Date
The month, date, and year that the document expires.
Expiration Year
The year the document expires.
Issuing Country Code
Code identifying the issuing country. [free text field]
Person
X
AFIS FBI Number
A number issued by the FBI’s Automated Fingerprint Identification
System (AFIS) based on submitted fingerprints. [free text field]
16
Exhibit D - Page 68
UNCLASSIFIED
ISE-FS-200
Privacy
Field
Source Class/Element
Source Definition
Age
Age Unit Code
Code that identifies the unit of measure of an age of a person (e.g.,
years, months). [free text field]
Date of Birth
The month, date, and year that a person was born.
Year of Birth
X
A precise measurement of the age of a person.
The year a person was born.
Ethnicity Code
Code that identifies the person’s cultural lineage.
Maximum Age
The maximum age measurement in an estimated range.
Minimum Age
The minimum age measurement in an estimated range.
X
State Identifier
Number assigned by the State based on biometric identifiers or
other matching algorithms. [free text field]
X
Tax Identifier Number
A 9-digit numeric identifier assigned to a living person by the U.S.
Social Security Administration. A social security number of the
person. [free text field]
Person Name
X
First Name
A first name or given name of the person. [free text field]
X
Last Name
A last name or family name of the person. [free text field]
X
Middle Name
A middle name of a person. [free text field]
X
Full Name
Used to designate the compound name of a person that includes
all name parts. This field should only be used when the name
cannot be broken down into its component parts or if the
information is not available in its component parts. [free text field]
X
Moniker
Alternative, or gang name for a person. [free text field]
Name Suffix
A component that is appended after the family name that
distinguishes members of a family with the same given, middle,
and last name, or otherwise qualifies the name. [free text field]
Name Type
Text identifying the type of name for the person. For example,
maiden name, professional name, nick name.
Physical Descriptors
Build Description
Text describing the physique or shape of a person. [free text field]
Eye Color Code
Code identifying the color of the person’s eyes.
Eye Color Text
Text describing the color of a person’s eyes. [free text field]
Hair Color Code
Code identifying the color of the person’s hair.
Hair Color Text
Text describing the color of a person’s hair. [free text field]
Person Eyewear Text
A description of glasses or other eyewear a person wears. [free
text field]
Person Facial Hair Text
A kind of facial hair of a person. [free text field]
Person Height
A measurement of the height of a person.
Person Height Unit Code
Code that identifies the unit of measure of a height of a person.
[free text field]
Person Maximum Height
The maximum measure value on an estimated range of the height
of the person.
Person Minimum Height
The minimum measure value on an estimated range of the height
of the person.
Person Maximum Weight
The maximum measure value on an estimated range of the weight
of the person.
17
Exhibit D - Page 69
UNCLASSIFIED
ISE-FS-200
Privacy
Field
Source Class/Element
Source Definition
Person Minimum Weight
The minimum measure value on an estimated range of the weight
of the person.
Person Sex Code
A code identifying the gender or sex of a person (e.g., Male or
Female).
Person Weight
A measurement of the weight of a person.
Person Weight Unit Code
Code that identifies the unit of measure of a weight of a person.
[free text field]
Race Code
Code that identifies the race of the person.
Skin Tone Code
Code identifying the color or tone of a person’s skin.
Clothing Description Text
A description of an article of clothing. [free text field]
Physical Feature
Feature Description
A text description of a physical feature of the person. [free text
field]
Feature Type Code
A special kind of physical feature or any distinguishing feature.
Examples include scars, marks, tattoos, or a missing ear. [free text
field]
Location Description
A description of a location. If the location is an address that is not
broken into its component parts (e.g., 1234 Main Street), this field
may be used to store the compound address. [free text field]
Registration
Registration Authority Code
X
Text describing the organization or entity authorizing the issuance
of a registration for the vehicle involved with the suspicious activity.
[free text field]
Registration Number
The number on a metal plate fixed to/assigned to a vehicle. The
purpose of the registration number is to uniquely identify each
vehicle within a state. [free text field]
Registration Type
Code that identifies the type of registration plate or license plate of
a vehicle. [free text field]
Registration Year
A 4-digit year as shown on the registration decal issued for the
vehicle.
ISE-SAR Submission
Additional Details Indicator
Identifies whether more ISE-SAR details are available at the
authoring/originating agency than what has been provided in the
information exchange.
Data Entry Date
Date the data was entered into the reporting system (e.g., the
Records Management System).
Dissemination Code
Generally established locally, this code describes the authorized
recipients of the data. Examples include Law Enforcement Use, Do
Not Disseminate, etc.
Fusion Center Contact First
Name
Identifies the first name of the person to contact at the fusion
center. [free text field]
Fusion Center Contact Last
Name
Identifies the last name of the person to contact at the fusion
center. [free text field]
Fusion Center Contact E-Mail Identifies the email address of the person to contact at the fusion
Address
center. [free text field]
Fusion Center Contact
Telephone Number
The full phone number of the person at the fusion center that is
familiar with the record (e.g., law enforcement officer).
18
Exhibit D - Page 70
UNCLASSIFIED
ISE-FS-200
Privacy
Field
Source Class/Element
Source Definition
Message Type Indicator
e.g., Add, Update, Purge.
Privacy Purge Date
The date by which the privacy information will be purged from the
record system; general observation data is retained.
Privacy Purge Review Date
Date of review to determine the disposition of the privacy fields in a
Detailed ISE-SAR IEPD record.
Submitting ISE-SAR Record
ID
Identifies the Fusion Center ISE-SAR Record identifier for reports
that are possibly related to the current report. [free text field]
ISE-SAR Submission Date
Date of submission for the ISE-SAR Record.
ISE-SAR Title
Plain language title (e.g., Bomb threat at the “X” Hotel). [free text
field]
ISE-SAR Version
Indicates the specific version of the ISE-SAR that the XML
Instance corresponds. [free text field]
Source Agency Case ID
The case identifier for the agency that originated the SAR. Often,
this will be a local law enforcement agency. [free text field]
Source Agency Record
Reference Name
The case identifier that is commonly used by the source agency—
may be the same as the System ID. [free text field]
Source Agency Record
Status Code
The current status of the record within the source agency system.
Privacy Information Exists
Indicator
Indicates whether privacy information is available from the source
fusion center. This indicator may be used to guide people who only
have access to the summary information exchange as to whether
or not they can follow-up with the originating fusion center to obtain
more information.
Sensitive Information
Details
Classification Label
A classification of information. Includes Confidential, Secret, Top
Secret, no markings. [free text field]
Classification Reason Text
A reason why the classification was made as such. [free text field]
Sensitivity Level
Local information security categorization level (Controlled
Unclassified Information-CUI, including Sensitive But Unclassified
or Law Enforcement Sensitive). [free text field]
Tearlined Indicator
Identifies whether a report is free of classified information.
Source Organization
Organization Name
The name used to refer to the agency originating the SAR. [free
text field]
Organization ORI
Originating Agency Identification (ORI) used to refer to the agency.
System ID
The system that the case identifier (e.g., Records Management
System, Computer Aided Dispatch) relates to within or the
organization that originated the Suspicious Activity Report. [free
text field]
Fusion Center Submission
Date
Date of submission to the Fusion Center.
Source Agency Contact First
Name
The first name of the person at the agency that is familiar with the
record (e.g., law enforcement officer). [free text field]
Source Agency Contact Last
Name
The last name of the person at the agency that is familiar with the
record (e.g., law enforcement officer). [free text field]
Source Agency Contact
Email Address
The email address of the person at the agency that is familiar with
the record (e.g., law enforcement officer). [free text field]
19
Exhibit D - Page 71
UNCLASSIFIED
ISE-FS-200
Privacy
Field
Source Class/Element
Source Agency Contact
Phone Number
Source Definition
The full phone number of the person at the agency that is familiar
with the record (e.g., law enforcement officer).
Suspicious Activity Report
Community Description
Describes the intended audience of the document. [free text field]
Community URI
The URL to resolve the ISE-SAR information exchange payload
namespace.
LEXS Version
Identifies the version of Department of Justice LEISP Exchange
Specification (LEXS) used to publish this document. ISE-FS-200
has been built using LEXS version 3.1. The schema was
developed by starting with the basic LEXS schema and extending
that definition by adding those elements not included in LEXS.
[free text field]
Message Date/Time
A timestamp identifying when this message was received.
Sequence Number
A number that uniquely identifies this message.
Source Reliability Code
Reliability of the source, in the assessment of the reporting
organization: could be one of ‘reliable’, ‘unreliable’, or ‘unknown’
Content Validity Code
Validity of the content, in the assessment of the reporting
organization: could be one of ‘confirmed’, ‘doubtful’, or ‘cannot be
judged’
Nature of Source-Code
Nature of the source: Could be one of ‘anonymous tip’,
‘confidential source’, trained interviewer’, ‘written statement –
victim, witness, other’, private sector’, or ‘other source’
Nature of Source-Text
Optional information of ‘other source’ is selected above. [free text
field]
Submitting Organization
Organization Name
Common Name of the fusion center or ISE participant that
submitted the ISE-SAR record to the ISE. [free text field]
Organization ID
Fusion center or ISE participant’s alpha-numeric identifier. [free
text field]
Organization ORI
ORI for the submitting fusion center or ISE participant. [free text
field]
System ID
Identifies the system within the fusion center or ISE participant that
is submitting the ISE-SAR. [free text field]
Suspicious Activity
Activity End Date
The end or completion date in Greenwich Mean Time (GMT) of an
incident that occurs over a duration of time.
Activity End Time
The end or completion time in GMT of day of an incident that
occurs over a duration of time.
Activity Start Date
The date in GMT when the incident occurred or the start date if the
incident occurs over a period of time.
Activity Start Time
The time of day in GMT that the incident occurred or started.
Observation Description Text
Description of the activity including rational for potential terrorism
nexus. [free text field]
Observation End Date
The end or completion date in GMT of the observation of an
activity that occurs over a duration of time.
Observation End Time
The end or completion time of day in GMT of the observation of an
activity that occurred over a period of time.
20
Exhibit D - Page 72
UNCLASSIFIED
ISE-FS-200
Privacy
Field
Source Class/Element
Source Definition
Observation Start Date
The date in GMT when the observation of an activity occurred or
the start date if the observation of the activity occurred over a
period of time.
Observation Start Time
The time of day in GMT that the observation of an activity occurred
or started.
Threat Type Code
Broad category of threat to which the tip or lead pertains. Includes
Financial Incident, Suspicious Activity, and Cyber Crime.
Threat Type Detail Text
Breakdown of the Tip Type, it indicates the type of threat to which
the tip or lead pertains. The subtype is often dependent on the Tip
Type. For example, the subtypes for a nuclear/radiological tip class
might be Nuclear Explosive or a Radiological Dispersal Device.
[free text field]
Suspicious Activity Code
Indicates the type of threat to which the tip or lead pertains.
Examples include a biological or chemical threat.
Weather Condition Details
The weather at the time of the suspicious activity. The weather
may be described using codified lists or text.
Target
Critical Infrastructure
Indicator
Critical infrastructure, as defined by 42 USC Sec. 5195c, means
systems and assets, whether physical or virtual, so vital to the
United States that the incapacity or destruction of such systems
and assets would have a debilitating impact on security, national
economic security, national public health or safety, or any
combination of those matters.
Infrastructure Sector Code
The broad categorization of the infrastructure type. These include
telecommunications, electrical power systems, gas and oil storage
and transportation, banking and finance, transportation, water
supply systems, emergency services (including medical, police,
fire, and rescue), and continuity of government.
Infrastructure Tier Text
Provides additional detail that enhances the Target Sector Code.
For example, if the target sector is Utilities, this field would indicate
the type of utility that has been targeted such as power station or
power transmission. [free text field]
Structure Type Code
National Data Exchange (N-DEx) Code that identifies the type of
Structure that was involved in the incident.
Target Type Text
Describes the target type if an appropriate sector code is not
available. [free text field]
Structure Type Text
Text for use when the Structure Type Code does not afford
necessary code. [free text field]
Target Description Text
Text describing the target (e.g., Lincoln Bridge). [free text field]
Vehicle
Color Code
Code that identifies the primary color of a vehicle involved in the
suspicious activity.
Description
Text description of the entity. [free text field]
Make Name
Code that identifies the manufacturer of the vehicle.
Model Name
Code that identifies the specific design or type of vehicle made by
a manufacturer—sometimes referred to as the series model.
Style Code
Code that identifies the style of a vehicle. [free text field]
Vehicle Year
A 4-digit year that is assigned to a vehicle by the manufacturer.
21
Exhibit D - Page 73
UNCLASSIFIED
ISE-FS-200
Privacy
Field
Source Class/Element
X
Vehicle Identification Number
Used to uniquely identify motor vehicles. [free text field]
US DOT Number
An assigned number sequence required by Federal Motor Carrier
Safety Administration (FMCSA) for all interstate carriers. The
identification number (found on the power unit, and assigned by
the U.S. Department of Transportation or by a State) is a key
element in the FMCSA databases for both carrier safety and
regulatory purposes. [free text field]
Vehicle Description
A text description of a vehicle. Can capture unique identifying
information about a vehicle such as damage, custom paint, etc.
[free text field]
X
Source Definition
Related ISE-SAR
Fusion Center ID
Identifies the fusion center that is the source of the ISE-SAR. [free
text field]
Fusion Center ISE-SAR
Record ID
Identifies the fusion center ISE-SAR record identifier for reports
that are possibly related to the current report.
Relationship Description Text
Describes how this ISE-SAR is related to another ISE-SAR. [free
text field]
Vessel
X
Vessel Official Coast Guard
Number Identification
An identification for the Official (U.S. Coast Guard Number of a
vessel). Number is encompassed within valid marine documents
and permanently marked on the main beam of a documented
vessel. [free text field]
X
Vessel ID
A unique identifier assigned to the boat record by the agency—
used for referencing. [free text field]
Vessel ID Issuing Authority
Identifies the organization authorization over the issuance of a
vessel identifier. Examples of this organization include the State
Parks Department and the Fish and Wildlife department. [free text
field]
Vessel IMO Number
Identification
An identification for an International Maritime Organization Number
(IMO number) of a vessel [free text field]
Vessel MMSI Identification
An identification for the Maritime Mobile Service Identity (MMSI) or
a vessel [free text field]
X
Vessel Make
Vessel Model
Vessel Model Year
A 4-digit year that is assigned to a boat by the manufacturer.
Vessel Name
Complete boat name and any numerics. [free text field]
Vessel Hailing Port
The identifying attributes of the hailing port of a vessel [free text
field]
Vessel National Flag
A data concept for a country under which a vessel sails. [free text
field]
Vessel Overall Length
The length measurement of the boat, bow to stern.
Vessel Overall Length
Measure
X
Code that identifies the manufacturer of the boat.
Model name that identifies the specific design or type of boat made
by a manufacturer—sometimes referred to as the series model.
Code that identifies the measurement unit used to determine the
boat length. [free text field]
Vessel Serial Number
The identification number of a boat involved in an incident. [free
text field]
Vessel Type Code
Code that identifies the type of boat.
22
Exhibit D - Page 74
UNCLASSIFIED
ISE-FS-200
Privacy
Field
Source Class/Element
Vessel Propulsion Text
Source Definition
Text for use when the Boat Propulsion Code does not afford
necessary code. [free text field]
B. Association Descriptions
This section defines specific data associations contained in the ISE-SAR data model structure.
Reference Figure 2 (UML-based model) for the graphical depiction and detailed elements.
Table 3 – ISE-SAR Data Model Structure Associations
Link Between Associated
Components
Target Element
Link From Suspicious Activity
Report to Attachment
lexs:Digest/lexsdigest:Associations/lexsdigest:EntityAttachmentLinkAssociation
Link From Suspicious Activity
Report to Sensitive
Information Details
Hierarchical Association
Link From Suspicious Activity
Report to ISE-SAR
Submission
Hierarchical Association
Link From Suspicious Activity
to Vehicle
lexs:Digest/lexsdigest:Associations/lexsdigest:IncidentInvolvedItemAssociation
Link From Vehicle to
Registration
Hierarchical Association
Link From Suspicious Activity
to Vessel
lexs:Digest/lexsdigest:Associations/lexsdigest:IncidentInvolvedItemAssociation
Link From Suspicious Activity
to Aircraft
lexs:Digest/lexsdigest:Associations/lexsdigest:IncidentInvolvedItemAssociation
Link From Suspicious Activity
to Location
lexs:Digest/lexsdigest:Associations/lexsdigest:ActivityLocationAssociation
Link From Suspicious Activity
to Target
Hierarchical Association
Link From Location to Location
Hierarchical Association
Coordinates
Link From Location to Location
Hierarchical Association
Address
Link From Suspicious Activity
Report to Related ISE-SAR
Hierarchical Association
Link From Person to Location
lexs:Digest/lexsdigest:Associations/lexsdigest:PersonLocationAssociation
Link From Person to Contact
Information
lexs:Digest/lexsdigest:Associations/lexsdigest:EntityEmailAssociation or
lexs:Digest/lexsdigest:Associations/lexsdigest:EntityTelephoneNumberAssociation
Link From Person to Driver
License
Hierarchical Association
Link From Person to Passport
Hierarchical Association
Link From Person to Other
Identifier
Hierarchical Association
23
Exhibit D - Page 75
UNCLASSIFIED
ISE-FS-200
Link Between Associated
Components
Target Element
Link From Person to Physical
Descriptors
Hierarchical Association
Link From Person to Physical
Feature
Hierarchical Association
Link From Person to Person
Name
Hierarchical Association
Link From Suspicious Activity
Report to Follow-Up Action
Hierarchical Association
Link From Target to Location
lexs:Digest/lexsdigest:Associations/lexsdigest:ItemLocationAssociation
Link From Suspicious Activity
Report to Organization
Hierarchical Association
Link From Suspicious Activity
to Person [Witness]
lexs:Digest/lexsdigest:Associations/lexsdigest:IncidentWitnessAssociation
Link From Suspicious Activity
to Person [Person Of Interest]
lexs:Digest/lexsdigest:Associations/lexsdigest:PersonOfInterestAssociation
Link From Organization to
Target
ext:SuspiciousActivityReport/nc:OrganizationItemAssociation
Link from ISE-SAR
Submission to Submitting
Organization
Hierarchical Association
Link From Submitting
Organization to Contact
Information
Hierarchical Association
(Note that the mapping indicates context and we are not reusing Contact
Information components)
C. Extended XML Elements
Additional data elements are also identified as new elements outside of NIEM, Version 2.0.
These elements are listed below:
AdditionalDetailsIndicator: Identifies whether more ISE-SAR details are available at the
authoring/originating agency than what has been provided in the information exchange.
AssignedByText: Organizational identifier that describes the organization performing a
follow-up activity. This is designed to keep all parties interested in a particular ISE-SAR
informed of concurrent investigations.
AssignedToText: Text describing the person or sub-organization that will be performing the
designated follow-up action.
ClassificationReasonText: A reason why the classification was made as such.
ContentValidityCode: Validity of the content, in the assessment of the reporting
organization: could be one of ‘confirmed’, ‘doubtful’, or ‘cannot be judged’.
24
Exhibit D - Page 76
UNCLASSIFIED
ISE-FS-200
Conveyancetrack/intent: A direction by heading and speed or enroute route and/or
waypoint of conveyance.
CriticalInfrastructureIndicator: Critical infrastructure, as defined by 42 USC Sec. 5195c,
means systems and assets, whether physical or virtual, so vital to the United States that the
incapacity or destruction of such systems and assets would have a debilitating impact on
security, national economic security, national public health or safety, or any combination of
those matters.
ICAOAirfieldCodeforDeparture: An International Civil Aviation Organization (ICAO)
airfield code for departure, indicates aircraft, crew, passengers, and cargo-on conveyance
location information.
ICAOAirfieldCodeforPlannedDestination: An airfield code for planned destination,
indicates aircraft, crew, passengers, and cargo on conveyance location information.
ICAOforActualDestination: An airfield code for actual destination. Indicates aircraft, crew,
passengers, and cargo on conveyance location information.
ICAOAirfieldforAlternate: An airfield code for Alternate. Indicates aircraft, crew,
passengers, and cargo on conveyance location information.
NatureofSource-Code: Nature of the source: Could be one of ‘anonymous tip’, ‘confidential
source’, trained interviewer’, ‘written statement – victim, witness, other’, private sector’, or
‘other source’.
PrivacyFieldIndicator: Data element that may be used to identify an individual and
therefore is subject to protection from disclosure under applicable privacy rules. Removal of
privacy fields from a detailed report will result in a summary report. This privacy field
informs users of the summary information exchange that additional information may be
available from the originator of the report.
ReportPurgeDate: The date by which the privacy fields will be purged from the record
system; general observation data is retained. Purge policies vary from jurisdiction to
jurisdiction and should be indicated as part of the guidelines.
ReportPurgeReviewDate: Date of review to determine the disposition of the privacy fields
in a Detailed ISE-SAR IEPD record.
SourceReliabilityCode: Reliability of the source, in the assessment of the reporting
organization: could be one of ‘reliable’, ‘unreliable’, or ‘unknown’.
VesselHailingPort: The identifying attributes of the hailing port of a vessel.
VesselNationalFlag: A data concept for a country under which a vessel sails.
25
Exhibit D - Page 77
UNCLASSIFIED
ISE-FS-200
SECTION V – INFORMATION EXCHANGE IMPLEMENTATION ARTIFACTS
A. Domain Model
1. General Domain Model Overview
The domain model provides a visual representation of the business data requirements and
relationships (Figure 2). This Unified Modeling Language (UML)-based Model represents
the Exchange Model artifact required in the information exchange development
methodology. The model is designed to demonstrate the organization of data elements and
illustrate how these elements are grouped together into Classes. Furthermore, it describes
relationships between these Classes. A key consideration in the development of a Domain
Model is that it must be independent of the mechanism intended to implement the model. The
domain model is actually a representation of how data is structured from a business context.
As the technology changes and new Functional Standards emerge, developers can create new
standards mapping documents and schema tied to a new standard without having to readdress business process requirements.
Figure 2 – UML-based Model
26
Exhibit D - Page 78
UNCLASSIFIED
ISE-FS-200
B. General Mapping Overview
The detailed component mapping template provides a mechanism to cross-reference the business
data requirements documented in the Domain Model to their corresponding XML Element in the
XML Schema. It includes a number of items to help establish equivalency including the business
definition and the corresponding XML Element Definition.
C. ISE-SAR Mapping Overview
The Mapping Spreadsheet contains seven unique items for each ISE-SAR data class and element.
The Mapping Spreadsheet columns are described in this section.
Table 4 – Mapping Spreadsheet Column Descriptions
Spreadsheet
Name & Row
Description
Privacy Field
Indicator
This field indicates that the information may be used to identify an individual.
Source Class/
Element
Content in this column is either the data class (grouping of data elements) or the actual data
elements. Classes are highlighted and denoted with cells that contain blue background while
elements have a white background. The word “Source” is referring to the ISE-SAR information
exchange.
Source Definition
The content in this column is the class or element definition defined for this ISE-SAR
information exchange. The word “Source” is referring to the ISE-SAR information exchange
definition.
Target Element
The content in this column is the actual namespace path deemed equal to the related ISESAR information exchange element.
Target Element
Definition
The content in this column provides the definition of the target or NIEM element located at the
aforementioned source path. “Target” is referring to the NIEM definition.
Target Element
Base
Indicates the data type of the terminal element. Data types of niem-xsd:String or nc:TextType
indicate free-form text fields.
Mapping
Comments
Provides technical implementation information for developers and implementers of the
information exchange.
D. Schemas
The ISE-SAR Functional Standard contains the following compliant schemas;
• Subset Schema
• Exchange Schema
• Extension Schema
• Wantlist
27
Exhibit D - Page 79
UNCLASSIFIED
ISE-FS-200
E. Examples
The ISE-SAR Functional Standard contains two samples that illustrate exchange content as listed
below.
1. XSL Style Sheet
This information exchange artifact provides an implementer and users with a communication
tool which captures the look and feel of a familiar form, screen, or like peripheral medium
for schema translation testing and user validation of business rules.
2. XML Instance
This information exchange artifact provides an actual payload of information with data
content defined by the schema(s).
28
Exhibit D - Page 80
UNCLASSIFIED
ISE-FS-200
PART B – ISE-SAR CRITERIA GUIDANCE
Category
Description
DEFINED CRIMINAL ACTIVITY AND POTENTIAL TERRORISM NEXUS ACTIVITY
Breach/Attempted
Intrusion
Unauthorized personnel attempting to or actually entering a
restricted area or protected site. Impersonation of authorized
personnel (e.g. police/security, janitor).
Misrepresentation
Presenting false or misusing insignia, documents, and/or
identification, to misrepresent one’s affiliation to cover possible illicit
activity.
Theft/Loss/Diversion
Stealing or diverting something associated with a
facility/infrastructure (e.g., badges, uniforms, identification,
emergency vehicles, technology or documents {classified or
unclassified}, which are proprietary to the facility).
Sabotage/Tampering/
Vandalism
Damaging, manipulating, or defacing part of a facility/infrastructure
or protected site.
Cyber Attack
Compromising, or attempting to compromise or disrupt an
organization’s information technology infrastructure.
Expressed or Implied
Threat
Communicating a spoken or written threat to damage or
compromise a facility/infrastructure.
Aviation Activity
Operation of an aircraft in a manner that reasonably may be
interpreted as suspicious, or posing a threat to people or property.
Such operation may or may not be a violation of Federal Aviation
Regulations.
POTENTIAL CRIMINAL OR NON-CRIMINAL ACTIVITY REQUIRING ADDITIONAL
FACT INFORMATION DURING INVESTIGATION 11
Eliciting Information
Testing or Probing of
Security
Deliberate interactions with, or challenges to, installations,
personnel, or systems that reveal physical, personnel or cyber
security capabilities.
Recruiting
Building of operations teams and contacts, personnel data, banking
data or travel data
Photography
11
Questioning individuals at a level beyond mere curiosity about
particular facets of a facility’s or building’s purpose, operations,
security procedures, etc., that would arouse suspicion in a
reasonable person.
Taking pictures or video of facilities, buildings, or infrastructure in a
manner that would arouse suspicion in a reasonable person.
Examples include taking pictures or video of infrequently used
access points, personnel performing security functions (patrols,
badge/vehicle checking), security-related equipment (perimeter
fencing, security cameras), etc.
Note: These activities are generally First Amendment-protected activities and should not be reported in a SAR or ISE-SAR
absent articulable facts and circumstances that support the source agency’s suspicion that the behavior observed is not
innocent, but rather reasonably indicative of criminal activity associated with terrorism, including evidence of pre-operational
planning related to terrorism. Race, ethnicity, national origin, or religious affiliation should not be considered as factors that
create suspicion (although these factors may used as specific suspect descriptions).
29
Exhibit D - Page 81
UNCLASSIFIED
ISE-FS-200
Category
Description
Observation/Surveillance
Demonstrating unusual interest in facilities, buildings, or
infrastructure beyond mere casual or professional (e.g. engineers)
interest such that a reasonable person would consider the activity
suspicious. Examples include observation through binoculars,
taking notes, attempting to measure distances, etc.
Materials
Acquisition/Storage
Acquisition and/or storage of unusual quantities of materials such as
cell phones, pagers, fuel, chemicals, toxic materials, and timers,
such that a reasonable person would suspect possible criminal
activity.
Acquisition of Expertise
Attempts to obtain or conduct training in security concepts; military
weapons or tactics; or other unusual capabilities that would arouse
suspicion in a reasonable person.
Weapons Discovery
Discovery of unusual amounts of weapons or explosives that would
arouse suspicion in a reasonable person.
Sector-Specific Incident
Actions associated with a characteristic of unique concern to
specific sectors (such as the public health sector), with regard to
their personnel, facilities, systems or functions.
30
Exhibit D - Page 82
UNCLASSIFIED
ISE-FS-200
PART C – ISE-SAR INFORMATION FLOW DESCRIPTION
Step
1
12
Activity
Observation
Process
Notes
The information flow begins when a person
observes behavior or activities that would appear
suspicious to a reasonable person. Such activities
could include, but are not limited to, expressed or
implied threats, probing of security responses, site
breach or physical intrusion, cyber attacks,
indications of unusual public health sector activity,
unauthorized attempts to obtain precursor
chemical/agents or toxic materials, or other usual
12
behavior or sector-specific incidents.
The observer may be a
private citizen, a government
official, or a law enforcement
officer.
Suspicious activity reporting (SAR) is official documentation of observed behavior that may be reasonably indicative of
intelligence gathering and/or pre-operational planning related to terrorism or other criminal activity. ISE-SARs are a subset of
all SARs that have been determined by an appropriate authority to have a potential nexus to terrorism nexus (i.e., to be
reasonably indicative of criminal activity associated with terrorism).
31
Exhibit D - Page 83
UNCLASSIFIED
ISE-FS-200
Step
2
13
Activity
Initial Response and
Investigation
Process
Notes
An official of a Federal, State, local, or tribal agency
with jurisdiction responds to the reported
13
observation. This official gathers additional facts
through personal observations, interviews, and
other investigative activities. This may, at the
discretion of the official, require further observation
or engaging the subject in conversation. Additional
information acquired from such limited investigative
activity could then be used to determine whether to
dismiss the activity as innocent or escalate to the
next step of the process. In the context of priority
information requirements, as provided by State and
major urban area fusion centers, the officer/agent
may use a number of information systems to
continue the investigation. These systems provide
the officer/agent with a more complete picture of
the activity being investigated. Some examples of
such systems and the information they may provide
include:
Department of Motor Vehicles provides drivers
license and vehicle registration information;
National Crime Information Center provides wants
and warrants information, criminal history
information and access to the Terrorist Screening
Center and the terrorist watch list, Violent
Gang/Terrorism Organization File (VGTOF), and
Regional Information Sharing System (RISS);
Other Federal, State, local, and tribal systems can
provide criminal checks within the immediate and
surrounding jurisdictions.
When the initial investigation is complete, the
official documents the event. The report becomes
the initial record for the law enforcement or Federal
agency’s records management system (RMS).
The event may be
documented using a variety
of reporting mechanisms and
processes, including but not
limited to, reports of
investigation, event histories,
field interviews (FI), citations,
incident reports, and arrest
reports.
The record may be hard
and/or soft copy and does
not yet constitute an ISESAR.
If a suspicious activity has a direct connection to terrorist activity the flow moves along an operational path. Depending upon
urgency, the information could move immediately into law enforcement operations and lead to action against the identified
terrorist activity. In this case, the suspicious activity would travel from the initial law enforcement contact directly to the law
enforcement agency with enforcement responsibility.
32
Exhibit D - Page 84
UNCLASSIFIED
ISE-FS-200
Step
Activity
Process
Notes
3
Local/Regional
Processing
The agency processes and stores the information
in the RMS following agency policies and
procedures. The flow will vary depending on
whether the reporting organization is a State or
local agency or a field element of a Federal
agency.
State, local, and tribal: Based on specific criteria or
the nature of the activity observed, the State, local,
and tribal law enforcement components forward the
information to the State or major urban area fusion
center for further analysis.
Federal: Federal field components collecting
suspicious activity would forward their reports to
the appropriate resident, district, or division office.
This information would be reported to field
intelligence groups or headquarters elements
through processes that vary from agency to
agency.
In addition to providing the information to its
headquarters, the Federal field component would
provide an information copy to the State or major
urban area fusion center in its geographic region.
This information contributes to the assessment of
all suspicious activity in the State or major urban
area fusion center’s area of responsibility.
The State or major urban
area fusion center should
have access to all suspicious
activity reporting in its
geographic region whether
collected by State, local, or
tribal entities, or Federal field
components.
4
Creation of an ISESAR
The determination of an ISE-SAR is a two-part
process. First, at the State or major urban area
fusion center or Federal agency, an analyst or law
enforcement officer reviews the newly reported
information against ISE-SAR behavior criteria.
Second, based on available knowledge and
information, the analyst or law enforcement officer
determines whether the information meeting the
criteria has a potential nexus to terrorism.
Once this determination is made, the information
becomes an “ISE-SAR” and is formatted in
accordance with ISE-FS-200 (ISE-SAR Functional
Standard). The ISE-SAR would then be shared with
appropriate law enforcement and homeland
security personnel in the State or major urban area
fusion center’s area of responsibility.
Some of this information may
be used to develop criminal
intelligence information or
intelligence products which
identifies trends and other
terrorism related information
and is derived from Federal
agencies such as NCTC,
DHS, and the FBI.
For State, local, and tribal
law enforcement, the ISESAR information may or may
not meet the reasonable
suspicion standard for
criminal intelligence
information. If it does, the
information may also be
submitted to a criminal
intelligence information
database and handled in
accordance with 28 CFR Part
23.
33
Exhibit D - Page 85
UNCLASSIFIED
ISE-FS-200
Step
Activity
Process
5
ISE-SAR Sharing and
Dissemination
In a State or major urban area fusion center, the
ISE-SAR is shared with the appropriate FBI field
components and the DHS representative and
placed in the State or major urban area fusion
center’s ISE Shared Space or otherwise made
available to members of the ISE.
The FBI field component enters the ISE-SAR
information into the FBI system and sends the
information to FBI Headquarters.
The DHS representative enters the ISE-SAR
information into the DHS system and sends the
information to DHS, Office of Intelligence Analysis.
6
Federal Headquarters
(HQ) Processing
At the Federal headquarters level, ISE-SAR
information is combined with information from other
State or major urban area fusion centers and
Federal field components and incorporated into an
agency-specific national threat assessment that is
shared with ISE members.
The ISE-SAR information may be provided to
NCTC in the form of an agency-specific strategic
threat assessment (e.g., strategic intelligence
product).
7
NCTC Analysis
When product(s) containing the ISE-SAR
information are made available to NCTC, they are
processed, collated, and analyzed with terrorism
information from across the five communities—
intelligence, defense, law enforcement, homeland
security, and foreign affairs—and open sources.
NCTC has the primary responsibility within the
Federal government for analysis of terrorism
information. NCTC produces federally coordinated
analytic products that are shared through NCTC
Online, the NCTC secure web site.
The Interagency Threat Assessment and
Coordinating Group (ITACG), housed at NCTC,
facilitates the production of coordinated terrorismrelated products that are focused on issues and
needs of State, local, and tribal entities and when
appropriate private sector entities. ITACG is the
mechanism that facilitates the sharing of
counterterrorism information with State, local, and
tribal entities.
34
Exhibit D - Page 86
Notes
UNCLASSIFIED
ISE-FS-200
Step
8
9
14
Activity
NCTC Alerts,
Warnings,
Notifications
Focused Collection
Process
Notes
NCTC products , informed by the ITACG as
appropriate, are shared with all appropriate Federal
departments and agencies and with State, local,
and tribal entities through the State or major urban
area fusion centers. The sharing with State, local,
and tribal entities and private sector occurs through
the Federal departments or agencies that have
been assigned the responsibility and have
connectivity with the State or major urban area
fusion centers. Some State or major urban area
fusion centers, with secure connectivity and an
NCTC Online account, can access NCTC products
directly. State or major urban area fusion centers
will use NCTC and ITACG informed products to
help develop geographic-specific risk assessments
(GSRA) to facilitate regional counterterrorism
efforts. The GSRA are shared with State, local, and
tribal entities and the private sector as appropriate.
The recipient of the GSRA may use the GSRA to
develop information gathering priorities or
requirements.
NCTC products form the
foundation of informational
needs and guide collection of
additional information.
14
NCTC products should be
responsive to informational
needs of State, local, and
tribal entities.
The information has come full circle and the
process begins again, informed by an NCTC or
other Federal organization’s product and the
identified information needs of State, local and
tribal entities and Federal field components.
NCTC product include: Alerts, warnings, and notifications—identifying time sensitive or strategic threats; Situational awareness
reports; and Strategic and foundational assessments of terrorist risks and threats to the United States and related intelligence
information.
35
Exhibit D - Page 87
UNCLASSIFIED
ISE-FS-200
Figure 3 – SAR Information Flow Diagram
36
Exhibit D - Page 88
Exhibit E
Exhibit E - Page 89
Exhibit E - Page 90
Exhibit E - Page 91
Exhibit E - Page 92
Exhibit E - Page 93
Exhibit E - Page 94
Exhibit E - Page 95
Exhibit E - Page 96
Exhibit E - Page 97
Exhibit E - Page 98
Exhibit E - Page 99
Exhibit E - Page 100
Exhibit E - Page 101
Exhibit E - Page 102
Exhibit E - Page 103
Exhibit E - Page 104
Exhibit E - Page 105
Exhibit E - Page 106
Exhibit E - Page 107
Exhibit E - Page 108
Exhibit E - Page 109
Exhibit E - Page 110
Exhibit E - Page 111
Exhibit E - Page 112
Exhibit E - Page 113
Exhibit E - Page 114
Exhibit F
Exhibit F - Page 115
UNCLASSIFIED//FOR OFFICIAL USE ONLY
ROLL CALL RELEASE
In
Collaboration
with
the
ITACG
26 July 2010
(U//FOUO) Indicators of Suspicious Behaviors at Hotels
(U//FOUO) Known or possible terrorists have displayed suspicious behaviors while staying at
hotels overseas—including avoiding questions typically asked of hotel registrants; showing
unusual interest in hotel security; attempting access to restricted areas; and evading hotel staff.
These behaviors also could be observed in U.S. hotels, and security and law enforcement
personnel should be aware of the potential indicators of terrorist activity.
(U//FOUO) Possible indicators of terrorist behaviors at hotels: The observation of multiple
indicators may represent—based on the specific facts or circumstances—possible terrorist behaviors at
hotels:
— (U//FOUO) Not providing professional or personal details on hotel registrations—such as
place of employment, contact information, or place of residence.
— (U//FOUO) Using payphones for outgoing calls or making front desk requests in person to
avoid using the room telephone.
— (U//FOUO) Interest in using Internet cafes, despite hotel Internet availability.
— (U//FOUO) Non-VIPs who request that their presence at a hotel not be divulged.
— (U//FOUO) Extending departure dates one day at a time for prolonged periods.
— (U//FOUO) Refusal of housekeeping services for extended periods.
— (U//FOUO) Extended stays with little baggage or unpacked luggage.
— (U//FOUO) Access or attempted access to areas of the hotel normally restricted to staff.
— (U//FOUO) Use of cash for large transactions or a credit card in someone else’s name.
— (U//FOUO) Requests for specific rooms, floors, or other locations in the hotel.
— (U//FOUO) Use of a third party to register.
— (U//FOUO) Multiple visitors or deliveries to one individual or room.
— (U//FOUO) Unusual interest in hotel access, including main and alternate entrances,
emergency exits, and surrounding routes.
— (U//FOUO) Use of entrances and exits that avoid the lobby or other areas with cameras and
hotel personnel.
— (U//FOUO) Attempting to access restricted parking areas with a vehicle or leaving unattended
vehicles near the hotel building.
— (U//FOUO) Unusual interest in hotel staff operating procedures, shift changes,
closed-circuit TV systems, fire alarms, and security systems.
— (U//FOUO) Leaving the property for several days and then returning.
— (U//FOUO) Abandoning a room and leaving behind clothing, toiletries, or other items.
— (U//FOUO) Noncompliance with other hotel policies.
(U) Prepared by the DHS/I&A Homeland Counterterrorism Division, the DHS/I&A Cyber, Infrastructure, and Science Division, the FBI/Directorate of Intelligence,
and the Interagency Threat Assessment and Coordination Group. This product is intended to assist federal, state, local, and private sector first responders so they
may effectively deter, prevent, preempt, or respond to terrorist attacks against the United States. This product was coordinated with the DHS/Office of Infrastructure
Protection.
(U) Warning: This document is UNCLASSIFIED//FOR OFFICIAL USE ONLY (U//FOUO). It contains information that may be exempt from public release under the
Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to
FOUO information and is not to be released to the public, the media, or other personnel who do not have a valid need to know without prior approval of an
authorized DHS official. State and local homeland security officials may share this document with critical infrastructure and key resource personnel and private
sector security officials without further approval from DHS.
(U) The FBI regional phone numbers can be found online at http://www.fbi.gov/contact/fo/fo.htm and the DHS National Operations Center (NOC) can be reached
by telephone at (202) 282-9685 or by e-mail at NOC.Fusion@dhs.gov. For information affecting the private sector and critical infrastructure, contact the National
Infrastructure Coordinating Center (NICC), a sub-element of the NOC. The NICC can be reached by telephone at (202) 282-9201 or by e-mail at NICC@dhs.gov.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Exhibit F - Page 116
Exhibit G
Exhibit G - Page 117
Exhibit G - Page 118
2)
1)
A.
E.
D.
C.
A.
B.
Recent travel overseas to
countries that sponsor terrorism.
Passport History
Alone and nervous.
Loose and/or bulky clothing (may
not fit weather conditions).
Exposed wires (possibly through
sleeve).
Rigid mid-section (explosive
device or may be carrying a rifle).
Tightened hands (may hold
detonation device).
Possible Suicide Bomber Indicators
-A.L.E.R.T.
First responding officers should be aware of
suspicious factors that may indicate a possible
terrorist threat. These factors should be
considered collectively in assessing a possible
threat. This quick reference guide is intended to
provide practical information for line officers
but may not encompass every threat or
circumstance. State and local law enforcement
may contact their local FBI field office or
resident agency for additional assistance.
The FBI’s Terrorism Quick
Reference Card
4)
3)
No obvious signs of employment.
Possess student visa but not
English proficient.
Employment/School/Training
2. Official international drivers'
permits are valid for one year
from entry into the U.S., they are
paper-gray in color, not
laminated, and are only valid for
foreign nationals to operate in the
U.S.
1. There are no international or
UN drivers' licenses -they are
called permits.
No current or fixed address;
fraudulent/altered: Social Security
cards, visas, licenses, etc.;
multiple ID's with names spelled
differently.
International drivers ID:
Other Identification -Suspicious
Characteristics
Multiple passports with different
countries/names (caution: suspect
may have dual citizenship).
Altered passport numbers or
photo substitutions; pages have
been removed.
Law Enforcement Sensitive
A.
B.
B.
A.
C.
B.
Law Enforcement Sensitive
5)
I.
G.
H.
F.
E.
D.
C.
B.
A.
C.
Training manuals; flight, scuba,
explosive, military, or extremist
literature.
Blueprints (subject may have no
affiliation to architecture).
Photographs/diagrams of specific
high profile targets or
infrastructures; to include
entrances/exits of buildings,
bridges, power/water plants,
routes, security cameras,
subway/sewer, and underground
systems.
Photos/pictures of known
terrorists.
Numerous prepaid calling cards
and/or cell phones.
Global Positioning Satellite
(GPS) unit
Multiple hotel receipts
Financial records indicating
overseas wire transfers
Rental vehicles (cash transactions
on receipts; living locally but
renting)
Unusual Items In
Vehicles/Residences
An indication of military type
training in weapons or selfdefense.
Exhibit G - Page 119
7)
6)
A.
C.
A.
B.
Unusual requests, such as:
1.
Refusal of maid service.
2.
Asking for a specific view
of bridges, airports,
military/government
Hotel/Motel Visits
Baby stroller or shopping cart.
Suspicious bag/backpack, golf
bag.
Bulky vest or belt.
Potential Props
The FBI’s Terrorism Quick
Reference Card -- Continued
Recruitment Techniques
Law Enforcement Sensitive
CAUTION: The following factors, which may
constitute activity protected by the United
States Constitution, should only be considered
in the context of other suspicious activity and
not be the sole basis of law enforcement action.
A.
Public demonstrations and rallies.
8)
C.
B.
installation (for
observational purposes).
3.
Electronic surveillance
equipment in room
Suspicious or unusual items left
behind.
Use of lobby or other pay phone
instead of room phone.
Law Enforcement Sensitive
9)
F.
E.
D.
A.
B.
C.
C.
B.
Weapons/explosive materials.
Camera/surveillance equipment.
Vehicles (to include rentals fraudulent name; or failure to
return vehicle).
Radios: Short wave, two-way and
scanners.
Identity documents (State IDs,
passports etc.)
Unauthorized uniforms
Thefts, Purchases, Or Discovery Of:
Information about new groups
forming.
Posters, fliers, and underground
publications.
Exhibit G - Page 120
PT
Reports of explosions where not
authorized.
Theft or abnormal sales of containers
(for example, propane bottles) or
possible vehicles (trucks or cargo
vans) in combination with other
indicators.
Large theft or sales of chemicals
which, when combined, create
ingredients for explosives (fuel oil,
nitrates).
Reports of automatic weapons firing.
Large amounts of high-nitrate
fertilizer sales to nonagricultural
purchasers, or abnormally large
amounts (compared with previous
sales) to bona fide agricultural
purchasers.
Law Enforcement Sensitive
Theft, loss, seizure, or recovery of
large amounts of cash by groups
advocating violence against the
government, military, or similar
targets.
Theft, sales, or seizure of night vision
or thermal imaging equipment when
combined with other indicators.
Seizures of modified weapons or
equipment used to modify weapons
(especially silencers).
Theft or unusual sales of militarygrade weapons ammunition.
Theft or unusual sales of large
numbers of semi-automatic weapons,
especially those which are known to
be readily converted to fullyautomatic.
2. Possible Weapons Attack Indicators
Theft of commercial-grade explosives,
chemical substances, blasting caps.
1. Possible Explosive Attack Indicators
TP
II. Indicators and Detection
of Terrorist
Explosive/Weapons/CBN
Attack1
Seizures of improvised explosive
devices or materials.
Law Enforcement Sensitive
Inappropriate inquiries regarding
heating and ventilation systems for
buildings or facilities by persons not
associated with service agencies.
Inappropriate inquiries regarding
local chemical/biological/nuclear
sales, storage, or transportation
points and facilities.
Sales to non-agricultural users or
thefts of agricultural sprayers, or
crop-dusting aircraft, foggers, river
craft or other dispensing systems.
Multiple cases of unexplained human
or animal deaths.
Theft or solicitation for sales of live
agents, toxins, or diseases from
medical supply companies or testing
and experimentation facilities.
Break-in or tampering with
equipment at water treatment
facilities or food processing facilities
or warehouses.
Sales or theft of large quantities of
baby formula, or an unexplained
shortage in an area. (Baby formula
is used to grow certain specific
cultures.)
3. Possible
Chemical/Biological/Nuclear Indicators:
Exhibit G - Page 121
PT
Personnel observed near a potential
target using or carrying video, still
camera, or other observation
equipment, especially when coupled
with high magnification lenses.
Suspicious persons sitting in a parked
car for an extended period of time for
no apparent reason.
According to the Department of Homeland
Security, nearly every major terrorist attack has
been preceded by a thorough surveillance of the
targeted facility. Surveillance operations
have certain characteristics that are
particular to pre-operational activity. The
degree of expertise used in the execution of the
operation will increase or decrease the
likelihood of detection. Some of these
characteristics are:
Suspicious persons or vehicles being
observed in the same location on
multiple occasions, including those
posing as panhandlers, vendors, or
others not previously seen in the area.
TP
A. Surveillance2
III. Surveillance, Targeting,
and Attack Indicators and
Countermeasures
Law Enforcement Sensitive
Persons not fitting into the
surrounding environment, such as
wearing improper attire for the
location.
A noted pattern or series of false
alarms requiring law enforcement or
emergency services response;
individuals noticeably observing
security procedures and responses or
questioning security or facility
personnel.
Personnel observed parked near,
standing near, or loitering near the
same vicinity over several days, with
no apparent reasonable explanation.
Personnel possessing or observed
using night vision or thermal devices
near the potential target area
Suspicious persons drawing pictures
or taking notes in a non-tourist or
other area not normally known to have
such activity.
Personnel observed with facility maps
and/or photographs, or diagrams with
specific buildings or facilities
highlighted; or with notes regarding
infrastructure, or listing of certain key
personnel.
Suspicious persons showing an
interest in or photographing security
systems and positions.
Law Enforcement Sensitive
A blank facial expression in an
individual may be indicative of
someone concentrating on something
not related to what they appear to be
doing.
Persons exhibiting unusual behavior
such as staring or quickly looking
away from individuals or vehicles as
they enter or leave designated
facilities or parking areas.
Computer hackers attempting to
access sites with personal information,
maps, or other data useful to
compiling a target information packet.
Recent damage to potential target
perimeter security (breaches in the
fenceline).
Non-government persons in
possession of government official ID
cards.
Theft of official identification (ID)
cards (including family members,
retirees), or government official
license plates.
Exhibit G - Page 122
PT
The identity, age, residence, and social
status of the intended target.
A description of the vehicle that the
target drives.
The work environment of the intended
target, to include time of departure and
return from work as well as the route
taken to his/her place of employment.
The manner in which the target
spends his/her free time and the places
where he/she spends vacations and
holidays.
The identity and address of the
target’s friends.
The identity of the target’s spouse,
where he/she works and whether the
target visits him/her there.
The identity of the target’s children
and whether the target visits at the
school.
Whether the target has a significant
other (boyfriend or girlfriend), that
If the intended target of an operation is an
individual, the information collected on that
person may include several of the following:
TP
B. Targeting3
III. Surveillance, Targeting,
and Attack Indicators and
Countermeasures -Continued
Law Enforcement Sensitive
The width of the streets and the
direction in which they run leading to
the facility.
Available transportation to the facility.
The area, physical layout, and setting
of the facility.
Traffic signals and pedestrian areas
near the facility.
The location of security personnel
centers (police stations, etc.) and
nearby government agencies.
The economic characteristics of the
area where the place is located.
Traffic congestion times near the
facility.
If the intended target is a facility or
important building, surveillance teams may
attempt to obtain the following information
pertaining to the exterior of the facility:
person’s address, and when the target
visits there.
The identity of the physician who
treats the target.
The location of the stores where the
target does his/her shopping.
The location of entrances and exits to
the target’s residence, and the
surrounding streets.
Means of surreptitiously entering the
target’s residence.
Whether the target is armed; if
protected by guards, the number of
guards and their armament, if any.
Law Enforcement Sensitive
Number of people typically inside the
facility.
Number and location of guard posts
within the facility.
Number and names of the leaders
within the facility.
Number of floors and rooms within
the facility.
Telephone lines and the location of the
switchboard.
Times of entrance and exit of specific
individuals.
Inside parking available at the facility.
Location of electrical power switches.
Surveillance teams may also attempt to obtain
the following information pertaining to the
interior of the facility:
Amount and location of lighting near
the facility.
Exhibit G - Page 123
PT
U
U
Making threats directly to the target or
indirectly to third parties.
Pre-Attack Indicative Behaviors:
TP
C. Attack4
Shapes and characteristics of buildings
and surrounding features.
Traffic directions and width of streets.
Location of traffic signals and
pedestrian areas.
Location of police stations, security
personnel centers and government
agencies.
Location of public parks.
Amount and location of lighting.
Training literature also identifies the use of
photography and detailed drawings by those
conducting surveillance operations.
Photographs are taken to depict panoramic and
overlapping views of potential target areas.
Surveillance team members typically also draw
a diagram of the target of the surveillance
operation. The diagram is typically realistic so
that someone who never saw the target could
visualize it. In order for the diagram to
accurately depict the target it should contain the
following:
III. Surveillance, Targeting,
and Attack Indicators and
Countermeasures -Continued
U
Law Enforcement Sensitive
Proactively pursue through
investigation and questioning any
individual reported to be a threat to
bomb or carry out a terrorist act and
thereby arouse suspicions in others.
Interview collaterals (family, friends,
employers, neighbors and coreligionists) who observe changes in
the individual’s behavior (withdrawal
from previous social contacts;
radicalization of beliefs; travel to
countries know to be supportive of
terrorist activities; associations with
other suspected terrorists; new and
unidentified sources of income;
increase in religiousness).
Gather intelligence in communities
containing or supporting such activity.
Pre-Attack Countermeasures:
“Leakage” by attacker (behavioral
signs of intent to attack), including:
- vague threats (to manage own
emotions of anger, anxiety, or fear);
- bragging to third parties of intent
to attack;
- exaggerated, larger-than-life
articulated fantasies of success or
outcome of bombing (e.g., number
of victims, joining other martyrs
that have preceded him);
- evasive when questioned
concerning past history and future
plans, or such information is not
realistic or verifiable.
Casing of properties/buildings.
Law Enforcement Sensitive
U
No direct threats to the target, but
continues to communicate threat to
trusted third parties.
“Leakage” may continue to third
parties, but may become more
constricted on advice of higher-ups.
“Boundary probing” with physical
approaches to measure restrictions to
access, if any (private security,
physical boundaries, local law
enforcement presence).
Surveillance of target (victims and
location); familiarization with area,
decision making concerning dress and
appearance, and select time and day to
maximize casualties; countersurveillance of security personnel or
barriers already in place.
Acquisition of materials for the bomb,
including the explosive proper, the
detonation device, and the container.
The latter may be selected on the basis
of commonly seen packages or items
in the target area (backpacks, grocery
bags, retail bags) derived from
surveillance.
May prepare a suicide note or video
for dissemination after the bombing.
May give possessions away and get
other worldly affairs in order.
U
Attack Preparation: Indicative Behaviors
Develop and acquire assets among
trusted community resources (local
media, religious leaders, community
activists, and professionals).
Exhibit G - Page 124
U
U
U
U
Emotions are likely to be more
volatile (quickly changing; may be
irritable, sad, easily upset).
May indulge in “worldly sins” that
directly violate religious beliefs
(visiting bars, strip clubs, gambling) in
order to blend in with victims and
avoid apprehension.
Will pay for items in cash.
Daily behaviors become consistent
with no future (e.g., forgetting to take
change, purchasing one-way tickets).
Handler’s involvement increases to
help suicide bomber stay focused and
manage anxiety; chief communication
will be through e-mail, cell phone, or
direct contact.
May show arrogance and hatred
toward Americans through bragging,
expressed dislike of attitudes and
decisions of US government,
superiority of religious beliefs, and
difficulty tolerating proximity to those
hates (e.g., waiting in a grocery store
line becomes intolerable).
Will engage in “private rituals” within
hours of the bombing that have
religious and symbolic meaning, such
as bathing, fasting, shaving of body
hair, perfuming, and increased
praying. These acts reinforce the
III. Surveillance, Targeting,
and Attack Indicators and
Countermeasures -Continued
U
U
U
Law Enforcement Sensitive
Clothing is out of sync with the
weather, suspect’s social position (he
appears well-groomed but is wearing
sloppy clothing), or location (wearing
a coat inside a building).
Attack Initiation: Indicative Behaviors:
U
Actively interview suspects and close
contacts reported to be engaging in
preparation to attack.
Detain and/or arrest, if probable cause
to do so exists, to prevent further
preparation and attack.
Conduct “warehouse surveys” of retail
outlets for bomb making materials to
identify the suspect’s acquisition
behavior and gather evidence (e.g.,
computer stores, Radio Shack or other
electronic instrument stores, and
chemical ingredient or fertilizer
outlets).
Conduct counter-surveillance of the
identified target.
Harden the identified target to reduce
or impede access by a suicide bomber
or other suicide terrorists.
Monitor e-mail or cell phone usage of
the suspect bomber.
Continue surveillance of the suspect’s
behavior.
U
Attack Preparation Countermeasures
meaning of his suicide bombing, steal
him to the task, and keep him focused
on the larger cause.
Law Enforcement Sensitive
Clothing is loose.
Suspect may be carrying heavy
luggage, bag, or wearing a backpack.
Suspect sometimes keeps his hands in
his pockets.
Suspect repeatedly pats his upper body
with his hands, as if double-checking
whether he forgot something.
Pale face from recent shaving of
beard.
No obvious emotion seen on the face.
Eyes appear to be focused and
vigilant. Does not respond to
authoritative voice commands or
direct salutation from a distance.
May appear to be “in a trance.”
Suspect walks deliberately but is not
running.
Just prior to detonation, suspect will
hold his hands above his head and
shout a phrase; or suspect will place
his hands and head close to the bomb
to obliterate post-mortem
identification.
Exhibit G - Page 125
Synchronized serial attacks
implemented in stages, in close
physical or temporal proximity to
increase casualties of first responders,
including law enforcement and
medical personnel.
If there is a second attack, it is likely
to occur within 20 minutes and be
carried out along evacuation route of
casualties or near first targeted area.
Post Offense Behavior by Attacker’s
Handlers or Associates: Indicative
Behaviors:
Call or shout a voice command from a
distance to break the suspect’s
concentration.
Make physical contact with the
suspect to distract his attention and
physically impede his forward
movement.
Insure physical control before
questioning, especially of hands and
arms.
Insure safety of civilian targets in
immediate area.
Attack Initiation Countermeasures:
III. Surveillance, Targeting,
and Attack Indicators and
Countermeasures -Continued
Law Enforcement Sensitive
Make counter-surveillance team a part
of the first response.
Include bomb disposal experts in first
response to search for additional
explosives.
Post Offense Countermeasures:
Surveillance of attack site to study
first responders’ behavior and plan for
future attacks.
Law Enforcement Sensitive
Exhibit G - Page 126
Source: Chief Warrant Officer 3 Del Stewart,
U.S. Army Intelligence Center
2
Source: Chief Warrant Officer 3 Del Stewart,
U.S. Army Intelligence Center; FBI
Intelligence Bulletin 53, February 26, 2003,
“Possible Indicators of al-Qaeda Surveillance.”
3
This section extracted from “Use of
Surveillance by Terrorist Groups,” by the
CONUS Analysis Section, Pol Mil/Force
Protection Branch, Joint Forces Intelligence
Command
4
This section extracted from
“Suicide/Homicide Attacker Behaviors and
Suggested Countermeasures,” by FBI
Behavioral Analysis Program & Central
Intelligence Agency analysts, and issued by the
Interagency Intelligence Committee on
Terrorism.
1
Law Enforcement Sensitive
Law Enforcement Sensitive
Exhibit H
Exhibit H - Page 127
Exhibit H - Page 128
o
o
o
o
o
o
o
o
o
o
o
o
What Should I Consider Suspicious?
What Should I Do?
Potential Indicators of Terrorist Activities Related to the General Public
Communities Against Terrorism
Exhibit H - Page 129
Help Protect Your Community
Be Part of the Solution
Potential
Indicators
of Terrorist
Activities
Related to
the General
Public
Exhibit I
Exhibit I - Page 130
Communities Against Terrorism
Potential Indicators of Terrorist Activities
Related to Electronic Stores
What Should I Consider Suspicious?
-
Exhibit I - Page 131
What Should I Do?
Exhibit J
Exhibit J - Page 132
Communities Against Terrorism
Potential Indicators of Terrorist Activities
Related to Mass Transportation
What Should I Consider Suspicious?
-
Exhibit J - Page 133
What Should I Do?
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?