State Depart's Report on Passport Records Access
Office of the Spokesman
July 3, 2008
Special Briefing On The State Department Inspector General's Report on Passport Records Access
Speakers: Principal Deputy Assistant Secretary of State for Consular Affairs Michael Kirby, Managing Director of Passport Services Florence Fultz
MR. DONAHUE: Okay. Good afternoon. My name is David Donahue. I'm the Public Affairs - Director of Public Affairs in the Office of Consular Affairs. And today, we have our Principal Deputy Assistant Secretary of State for Consular Affairs Michael D. Kirby - I think regular spelling on that - and our acting Managing Director of Passport Services Florence Fultz, F-u-l-t-z. And she will be our subject matter expert today. And we're here - we do have a short schedule. We have to be out of here by 10 after 4:00.
QUESTION: How do you spell Florence?
MS. FULTZ: F-l-o-r-e-n-c-e.
QUESTION: Thank you.
MR. KIRBY: I apologize, but I had a pre-set meeting, but we thought it was useful to make ourselves available today given that the report came out.
QUESTION: Can I start? Why did it take an OIG report to find what it described as many weaknesses in your systems for preventing and punishing improper access to passport files? Why were there not in existence systems designed both to detect such snooping and consistent guidelines for how to punish those who improperly view citizens' personal information?
MR. KIRBY: Well, it didn't, in fact, take an OIG report for us to start taking action. It's - so I will say that the OIG report, however, was very useful in focusing our attention. We had some systems in place. The report highlights the fact that perhaps they could have been more robust.
QUESTION: It doesn't say "perhaps." It says it found many weaknesses.
MR. KIRBY: Okay. Then it could have been, should have been more robust. But I'd like to stress that what we are doing now is trying to move forward from that. We have eliminated almost half of the users in the system. If a case - if an ID has been active - inactive for 90 days, we've eliminated those. So we have limited the numbers of people who have access. We have added people to the monitoring group to make sure that we are aware, if there is access, that we have the people to track those down, investigate the cases. We're now doing random audits of employees' and contractors' access. And we have now a warning to people and we've given them more training.
In the end, though, I would like to stress that in order to issue passports, we have to be able to and our employees have to be able to access the records. So we will have to continue to access records.
QUESTION: Do you regard the more than 4,000 accesses to the 127 people described in Appendix A as excessive?
MR. KIRBY: Well, I would say that we are reviewing the circumstances under which the people looked at those records. And we will be taking appropriate action. I think you have to look at each case, why they accessed it. But certainly, it's proper that we take a look at each individual one and review it. And if it's an inappropriate access, then we will take appropriate disciplinary measures.
QUESTION: Have you found that those more than 4,000 accesses, that any of them was inappropriate? I can imagine circumstances under which you might actually need to go into somebody's file two dozen times if it's a very complicated case. That said, you know, the report gives this - the appendix gives this table where it describes the number of individuals on the high - fit the high profile list, and there are nine of them where there were 101 or more hits to their passport files.
MS. FULTZ: The ones - if I could just jump in. First of all, the 4,000 is a little bit misleading because - and I think it explains it in a footnote. If you go in to even locate whether or not there is a passport record, that's one hit. If you then open the record and look at it, that's at least two hits because there are two pages, at least. So if you print it out, that's another hit on the same record.
But what has happened is that of the review that the OIG did, the ones that they thought looked most egregious or least likely to have been authorized, they referred those for further investigation. So OIG is still investigating those and we have not yet heard definitively if those were authorized or unauthorized.
QUESTION: In your own investigations, have they - have they come to any conclusion about whether any of those were authorized or unauthorized?
MS. FULTZ: We are just now at the point where we are separating out the ones that OIG is not investigating. And we've assembled a team and we're starting to go through that to determine if they were authorized or not.
QUESTION: Can you tell us how many are being looked at that are questionable, or that are questionable and are suspicious enough that you would go and look --
MS. FULTZ: The only thing I can tell you is the same thing that you see in the report, the numbers that OIG reported. Until we go through and look at them, we won't know for sure if they were authorized or not.
QUESTION: But you just said that you already had. You already were looking.
MS. FULTZ: We've started the process of doing it, yes.
QUESTION: And so thus far, how many appear suspicious?
MS. FULTZ: We haven't completed reviewing all of them.
QUESTION: Can you give us a ballpark so far --
MS. FULTZ: No.
QUESTION: -- of how many?
MS. FULTZ: No.
QUESTION: I mean, a percentage or --
QUESTION: Can you tell us how many OIG found suspicious enough to warrant further investigation?
MS. FULTZ: I think that's in the report.
MR. DONAHUE: All we have is what's in the report there.
QUESTION: So why don't you tell - can you tell us what it is?
QUESTION: Well, to be frank, I mean, the report is just filled with --
QUESTION: -- lots of nothing.
QUESTION: Lots of - lots of -- so could you tell us what those are, just to sort of --
QUESTION: Can I follow up on Arshad's question just for a second first, though? You mentioned that you're now doing random audits of employees' and contractors' access. My understanding is that back when this first happened, the Department told us that you already did random check -- audits of access. What - is - can you square those two?
MS. FULTZ: We have and have had a system in place where - it's called the monitor list, where certain high profile individuals were - their records were flagged so that if it was accessed, someone would follow up to make sure it was authorized. And that's how the original cases came to anyone's attention.
QUESTION: Is that the list of the 38 names?
MS. FULTZ: No. It's --
QUESTION: Or is it bigger than that?
MS. FULTZ: The original cases in March that started the - started to generate attention.
QUESTION: Right - no, no, but what I was trying to understand is whether the list of - that you were just describing, the circumstances under which - well, two things. One, that's not random monitoring, okay?
MS. FULTZ: No, it's not.
QUESTION: That's - okay.
MS. FULTZ: Right.
QUESTION: So was there - here's a simple question, just to get back to Viola's question. Was there random monitoring prior to your colleague just saying that you had started random monitoring? Was there previously random monitoring or no? Do you know?
MS. FULTZ: I'm not aware of what would have been referred to as random monitoring.
QUESTION: Well -- so, wait a minute. You just said - you told us that you've initiated random monitoring.
MS. FULTZ: Mm-hmm.
QUESTION: Did I misunderstand you, sir?
MR. KIRBY: I said we now conduct random audits.
QUESTION: Random audits?
MR. KIRBY: I can't tell you - or monitoring audits. I can't tell you the date it started. I apologize. I can't tell you that.
QUESTION: Was it post the March disclosures of the presidential candidates' files being improperly accessed? I mean, is it since this erupted in the public, or did you do it before? I don't need the date. I'm just wondering when it occurred to you that'd be a good idea.
MR. KIRBY: In order for me to get you that answer, I would have to take the question and get back to you.
MS. FULTZ: Right.
MR. KIRBY: I'm - and we'll take that and get back to you, but I can't give you a correct answer because I don't know that today, at this time.
QUESTION: I don't understand how - if you can't tell us how many of these accesses or hits are –that you think are improper, how you know that there's such a huge problem? I mean, is it possible that every single one of these viewings of the passport records was legitimate -- was for a legitimate reason?
MS. FULTZ: I guess it's possible, but I think it's unlikely that - some of the numbers that are reported there -- the records that were accessed numerous times. That's probably not likely an authorized access.
QUESTION: Okay. Can you give us a better idea of who these 150 people are, other than –
MS. FULTZ: No. That would be privacy protected.
QUESTION: Would that be privacy protected? You people pull these things off the internet. How is that - and from Sports Illustrated.
MR. KIRBY: I'm sorry --
QUESTION: How is that privacy protected?
MR. KIRBY: I thought the question of who was doing access was what you were asking, or were you asking --
QUESTION: No, no, no. Who - whose names? Like, when - it says that nine individuals had their records hit 101 or more times. Who would these nine people be?
MR. KIRBY: That, in our view, is privacy protected. We're not going to tell you it's this person or that person's record. That's - that's - that is, as our understanding of it, protected by privacy.
QUESTION: Then can you give us a little better idea of -- other than saying that they're from the Forbes hundred celebrities and richest Americans list, or whatever, I mean, who these people are? I mean, there is a great debate about who is a celebrity and who is not, you know. So --
MR. DONAHUE: I think the whole point is this is a - this was an investigation by the IG that they wanted to see how the system was working. They selected 150 names. It wasn't the 150 most important people, it wasn't the 150 - they made up a list of 150. There are thousands and thousands of people who are significant that could have been on that list.
QUESTION: Right. But - but --
MR. DONAHUE: And they used that as a test. So it's just a group of people that help us --
QUESTION: Yeah, but --
MR. DONAHUE: -- audit our system.
QUESTION: Well, I understand, but, I mean, some people in the IG, I don't know who they might think are famous, but, I mean, they could be very different ideas of notoriety for different people. So how do -- you know - we need to - I don't know if it's possible we can get a better idea of who these people –
MR. KIRBY: I wouldn't think -- I mean, I'm sorry. OIG had its own methodology. That would be a question for OIG on their methodology. I'm sorry, that was --
QUESTION: Sure, but you guys know who they are, right? They had to tell you, didn't they?
MR. KIRBY: No, I don't know.
QUESTION: The 150?
MS. FULTZ: They have to - because we're doing --
QUESTION: Well, okay, can you tell us this? Why - what is the difference between the 150 the OIG picked and the 38 that were on your list from before, other than it being bigger?
MS. FULTZ: I mean, you saw that - I think the report, the OIG report talks about the, sort of, broad categories of people that they put in there; people that were in the news --
MS. FULTZ: -- people that were in Sports Illustrated, people that were on the Forbes list. Those are the - to expand a bit.
QUESTION: But the 38 who were on your list before were not?
MS. FULTZ: They fell into - they were well-known people. I mean, we know - you know who three of them are because they were reported in the press, three of the presidential candidates. So --
QUESTION: Well, I know four, because there was the Anna Nicole Smith --
QUESTION: Can I follow up to that?
QUESTION: Yeah, I just wanted to be sure - you're asking - we're asking questions and I understand that some of this should be answered - asked of the OIG people, but I wanted to ask, did anyone try to get them down here with you? Did you - who's - you know, you're talking about a report by the O - the IG, and they're not here. They've blacked out sections of this report and we don't know why they've blacked out, because it's not classified. So what's going on? Why are they –
MR. KIRBY: Well, in terms of why they redacted the report, the redaction is consistent with 5 USC, Section 552 to prevent further unauthorized breeches. And I'm - you know, you're asking a question; I'm giving you what -- the answer that they provided, that - if certain parts hadn't been redacted - in order to make a good report, we have to know all of the vulnerabilities, alright? And they provided us with a clear idea of all the vulnerabilities.
But at the same time, if you describe to everyone all of the vulnerabilities, then people can take advantage of those vulnerabilities. So they redacted it in such a way that people couldn't take advantages of the vulnerabilities. That, I think, is a logical redaction. It put the - a primer on how to take advantage of a system, which doesn't make sense to then lay out and -- for people to take advantage of. So that was the basis for that, and the law - you know, the U.S. code is the - is the basis for the reason they could do that and felt they should do that.
QUESTION: Can I ask a question quick, just --
QUESTION: One more follow-up quickly on that –
MR. KIRBY: We'll go here, and then we'll go there.
QUESTION: You said that you've eliminated almost half of the users, so would that be half of the 20,500 --
MR. KIRBY: Correct.
QUESTION: -- listed in there? Okay. Thank you.
QUESTION: Just one more on that. I said that –
QUESTION: Excuse me.
QUESTION: That's all right, you've got a follow-up, Arshad.
QUESTION: Thank you. It's regarding your first three things. You said that you had added people to the monitoring group that can investigate and follow up. How many people are now doing that and how many were doing it before?
MS. FULTZ: We now have a total of eight --
QUESTION: And before?
MS. FULTZ: -- that are actually doing it. We had two.
MR. KIRBY: Yeah.
QUESTION: Can I ask -- this was obviously triggered back in March by the revelation that the presidential candidates had their files breached. Can you tell us whether either you or OIG is pursuing that any further to know if that - if those particular records which - or cases which are already in the public eye have been -- you know, if there were further breeches of those? More than - I guess there were four cases, or I don't know what the number was at the end of the day, of how many times they were actually breached. Were there any more of those revealed?
MR. KIRBY: More people whose --
QUESTION: Well, more times that the presidential candidates had their files breached beyond what was found in the initial –
MS. FULTZ: If there were, that would be - if there were, it would be in the group that either OIG is continuing to investigate or would be referred to us to follow up on.
QUESTION: So they could be - so --
MR. KIRBY: I mean, if they're continual --
QUESTION: I mean, if there are consecutive --
MS. FULTZ: So possibly, yes. It is possible.
MR. KIRBY: I mean --
QUESTION: Do you - I mean, do you know?
QUESTION: Do you have it?
MS. FULTZ: I don't know.
MR. KIRBY: We haven't been informed recently of further breaches in those cases, but we're monitoring to make sure it doesn't happen. And if it does, we would refer to OIG or to the appropriate people for investigating.
MS. FULTZ: And - right, and they would refer -- in turn, if there were any serious thought of something criminal or something beyond just curiosity, they would then refer that on to appropriate law enforcement.
QUESTION: On the criminal side, was there anything criminal found in this?
MS. FULTZ: So far that we're aware of, no.
MR. KIRBY: Yes.
QUESTION: I'm sorry, could you say that again?
MS. FULTZ: No, that -- not that we're aware of.
QUESTION: Forgive me, I haven't even seen the report, so this may be the first sentence, for all I know, if it matters. The numbers I hear from my colleagues, 38, that was a number not connected with OIG, but with your own earlier, and that includes the three presidential candidates?
MS. FULTZ: (Nodding.)
QUESTION: Now, my question is, were the other 35 people notified that their files were breached?
MS. FULTZ: That was the number of names that were in the list. They were - that doesn't mean they were breached. That was - we had a list of people whose records were flagged so that an alert would be generated if the record were accessed. That's what the 38 is.
QUESTION: That's your own list? You made up a list of 38 from --
QUESTION: Well, three of them were flagged and actually accessed, right? We know that.
MS. FULTZ: (Nodding.)
QUESTION: Those people, the presidential candidates, were so notified at some point?
MS. FULTZ: (Nodding.)
QUESTION: Was anybody else - did anybody else have their records accessed, and were they so notified?
MS. FULTZ: The OIG took over at that point. And so if there were additional unauthorized access and the OIG confirms that, then those people would be notified.
QUESTION: Would be by whom?
MS. FULTZ: By the Department of State, by --
QUESTION: That's you guys, isn't it?
MS. FULTZ: Yes.
QUESTION: So were other people notified, like the three presidential candidates, that their –
MS. FULTZ: Not - no, not yet.
QUESTION: No? Some number were, right?
MS. FULTZ: The three --
QUESTION: Some number were?
MS. FULTZ: Yes.
QUESTION: And as yet, I guess the answer's -- because of the pending (inaudible) --
MS. FULTZ: Yes.
QUESTION: They have not been notified --
MS. FULTZ: Yes.
QUESTION: -- that they had their files seemingly improperly accessed?
MS. FULTZ: Yes, correct.
QUESTION: How many of those were there? Regardless -- I'm not asking who they are, but how many were there?
MS. FULTZ: I don't know, because as we said before, the OIG is -
QUESTION: Got it.
MS. FULTZ: -- took over and looked at those names as well as additional names that were added.
MR. KIRBY: Once the OIG takes over certain kinds of things, we don't get informed necessarily of the actions that they're taking at that point.
QUESTION: Okay, so you do know that there were –
MR. KIRBY: So it's not we're trying to hide --
QUESTION: No, no, I understand that. So you do know that there were additional improper accesses, but you don't how many or whom?
MS. FULTZ: The same table that is in this report is what we know; that there were a large number of accesses to certain individual -- we don't know which individuals those were at this point, but that there were numerous accesses to the same individuals, someone who would be well known. And so we don't know -- since they haven't completed investigating those, we don't know for sure if they were authorized or not.
QUESTION: Okay, so you don't know if they were authorized or not?
MS. FULTZ: Right.
QUESTION: Therefore, you don't - there may be zero additional people who –
MS. FULTZ: It's possible.
QUESTION: Can I -- when you look at the chart, back at the table -- Table 1, you said earlier that –
MR. KIRBY: Can you just tell me - one second, which page?
QUESTION: Page 45. You said earlier that, you know, the hundred - the nine files or the nine names that were hit 101 more times, that seemed inordinately high and it would - suspicious. What's the - do you have a general threshold for - you know, 1 to 25, that doesn't seem like it's particularly suspicious. But, you know, 26 to 50, is that also something that -- you know, that you think that there might be some - something improper going on?
MS. FULTZ: Well, I think it - since we're going to look into all of - all of these cases, I don't think we can say until we look into them.
MR. KIRBY: And if I can just --
QUESTION: How long is that going to take, that process?
MR. KIRBY: If I can just add, I think that we have to look at each of them to see -- and if it's one unauthorized entry, then we should take appropriate action, whether a person's file was unauthorized - had access unauthorized one time or 23 times or 101 or more times, we should take action. We just haven't --
QUESTION: What do you consider appropriate action?
MR. DONAHUE: If there was a business reason --
MR. KIRBY: I mean, appropriate action --
QUESTION: Are they fired? Are they moved to another area?
MR. KIRBY: I mean, we would have to take a look at the individual case and it could range from - you know, at the beginning, it's just - you know –
MS. FULTZ: A reprimand.
MR. KIRBY: Just a reprimand up to and including dismissal. It depends on the set of circumstances.
QUESTION: Yeah, because they had the same kind of thing at UCLA where those people issued - you know, looked through files and they were fired immediately. So you're saying that breaching State Department security by looking - unauthorized looking into it would be from a hand slap to –
MR. KIRBY: You know, we - you have - people have various degrees of due process. Various employees have different kinds of rights, each of us. And we have to take a look at what the set of circumstances was which led - if it was an unauthorized breach, to - you know, what is the appropriate action in that particular case. UCLA has its particular set of standards, that's its. The U.S. Government, for employees, has its set of standards, and ours tend to be, depending on what you do, we have normal employee discipline standards. We're also developing new standards for how we deal with these cases. But --
QUESTION: Can I just ask you about the timeline? I mean, how long is it going to take for you to go through all this? I mean, are you going to make - what are you going to make public or share with us after that?
MS. FULTZ: I'm not sure how long it's going to take to go through it. I mean, we're working on it as quickly as we can and put as many resources right now as we have on it. In terms of public, if you're asking, are we going to come out and say so and so, a particular person's record was accessed inappropriately, I don't think we'll say that, because that, again, would be covered by the Privacy Act.
QUESTION: As far as the steps you're taking, you mentioned adding more monitors and cutting the number of access. Have you widened the monitor system to include more names?
MS. FULTZ: Yes.
QUESTION: Can you say how many? There was 38 before. How big is it now?
MS. FULTZ: It's over a thousand now. And one of the steps that we're working on is to come up with an ongoing system for –
MR. KIRBY: Updating it.
MS. FULTZ: Updating.
QUESTION: So if someone improperly accesses Brangelina, is that one or two? I'm sorry. (Laughter.)
QUESTION: It could be four. (Laughter.)
QUESTION: Good point, a very good point. (Laughter.)
MR. KIRBY: Excuse me.
QUESTION: (Inaudible) identifying individuals that have gone repeatedly into these files? I mean, people that went into the candidates' files, I mean, they were identified and disciplined in some way. So are you in the process of identifying these other people?
MR. KIRBY: I mean, that's what we were talking about before. The OIG is investigating who accessed which files.
QUESTION: So you don't know yet?
MR. KIRBY: And when they are finished with their process, they will refer some to us. And they will refer others to other kinds of disciplinary procedures. So we are - we don't have all of that information now. We will get it at some point. It takes a certain period of time to review it.
QUESTION: Can you say what disciplinary action has been taken up to this point, including the -- from the time the first breaches were made public?
MS. FULTZ: There have been five contract employees fired.
QUESTION: There were three before, right?
MS. FULTZ: Mm-hmm.
MS. RESIDE: Mr. Kirby has to be leaving shortly, so we do need to wrap this up.
QUESTION: So two more -- were the two - the two additional were involved in whose - in which breaches?
MS. FULTZ: One of them, I'm really not sure. The other one was a presidential candidate.
QUESTION: One of the three? One of the three previously identified?
QUESTION: Both of them were in the cases of - in those three cases of the three presidential candidates, right, or not?
MS. FULTZ: The original two that –
QUESTION: The original --
MS. FULTZ: The original three --
MS. FULTZ: I guess, yes. And of the two --
QUESTION: Was that the same person who was reprimanded, or was that an additional person, in fact? Because there was one person that was only reprimanded and wasn't fired.
MS. FULTZ: He was later terminated.
QUESTION: I'm sorry, did they --
QUESTION: That same person was later terminated?
MS. FULTZ: They were -- those were contract employees.
QUESTION: The five who were terminated, it was all in reference to those three presidential candidates, McCain, Obama or Clinton?
MS. FULTZ: I'm not sure who one of them was.
QUESTION: So four were and one you don't know?
MS. FULTZ: Mm-hmm.
QUESTION: Got it, okay.
QUESTION: Early on, one of the suggestions was to have the - when you went into one of these flagged files, that you would have to get permission from a supervisor. Is that in this report or is that just some –
MR. KIRBY: We're in the process of also developing and changing the computer program that allows you to bring up things and to layer the access to files, so that certain files could only be accessed by supervisory personnel, but --
QUESTION: Okay. But that's not finished yet?
MR. KIRBY: It's - you know, when you have a database with many millions of names, it's a complex process to change access levels and keep the system stable. But we're working quickly on that.
QUESTION: And my last thing, very briefly, though. On the first page, it says that computers contains records on 192 million passports for 127 million passport holders. Was this - I don't - why is it different? Why is --
MR. KIRBY: I'm sorry?
QUESTION: Some people have more than one passport.
QUESTION: I - 60 million --
QUESTION: Sixty million people don't have two passports.
QUESTION: What's the --
MS. FULTZ: It goes back longer than ten years. That database goes back to 1983, so --
QUESTION: So it includes expired passports?
MS. FULTZ: Yes, it does.
QUESTION: Right. Okay, that would answer --
MR. DONAHUE: Okay. Ambassador Kirby, do you have anything to close with?
MR. KIRBY: I'm okay. Happy Fourth of July.
MR. DONAHUE: Thank you very much and thanks, everybody for staying a little late. Have a great, long weekend. Thanks a lot.
Released on July 4, 2008