Fingerprint Data of 5.6M people released in OPM Hack
Sep 23, 2015
OPM has updated the count of people whose fingerprints were released in the hacks announced earlier
this year. Previous statements claimed that fingerprints of approximately 1M people were released. The
latest update increases that number
to 5.6M people. The total number of people whose records were released in the hack remains around 21.6M.
Two Federal Employee Unions File Suit Over OPM Data Breach
Aug 7, 2015
The National Treasury Employees Union and the American Federation of Government Employees (AFL-CIO)
have filed lawsuits against OPM over the data breach. The complaints can be downloaded here and here.
OPM Releases Background Check Information From All Investigations Since 2000
Aug 6, 2015
In April and June of 2015, the federal Office of Personnel Management
discovered at least two computer security breaches that allowed the theft of more than 20 million personnel records from
OPM computer systems. In the first incident, personal data of approximately 4.2 million current and former US government
employees was stolen. In the second, larger incident the background investigation records of more than 21.5 million federal employees, contractors,
and other affiliates was stolen. These data included, by OPM's own admission, the data from anyone who submitted forms SF-85, SF-85P, and SF-86
since the year 2000. Some reports indicate that the losses may go back much further in time. The released data include not just the information submitted on
the forms, but also the investigation details from interviews with friends, family, co-workers, and neighbors. The data include personal identifying
information from at least 1.8 million non-applicants-- close family members and co-habitants whose data (including social security numbers)
were provided by applicants as part of security investigations. In some cases the stolen data include passwords used for the e-QIP system, as
well as fingerprint data. OPM has barely begun individually notifying victims of the personal data release, and so far mostly only government employees. OPM
has created a web page detailing much of the data release here
JPL IT security has sent out two lab-wide notifications, one shortly after the breaches were revealed to include all SF-85, SF-85P, and SF-86
applicants, and the second recently to forward a newsletter from NASA Ames Research Center with recommendations for how to deal with
the release of personal information. The newsletter can be downloaded here. The list of things to do
to protect oneself is neither short nor easy to implement, and the government is so far providing no support.
The impact of this release of data on the lives of federal employees and contractors, as well as national security, cannot be
underestimated. The release includes complete, validated, collated data with names, social security numbers, residence histories,
lists of family and associates and their contact information, information on drug history, medical, psychological, and psychiatric histories,
sexual histories, and any other information revealed to investigators. Such information cannot be unreleased-- it is out and will remain out,
likely to be stolen again from or released by whoever copied it from OPM. It can be used in very targeted "spearphishing" attacks and
to potentially blackmail, extort, or otherwise take advantage of government employees and contractors in ways that are socially and economically
harmful, and even improperly obtain national security information.
National Labor Relations Board Upholds Sanctions Against Caltech
March 15, 2014
A three-member panel of the National Labor Relations Board, upholding last year's decision by
an administrative law judge, ruled last Wednesday that the California Institute of Technology
had engaged in unfair labor practices. Last May, Judge William G. Kocol found that Caltech had
violated the National Labor Relations Act when the institute disciplined five employees at the Jet
Propulsion Laboratory who used email to communicate with colleagues about a Supreme Court
decision pertaining to JPL employee privacy rights. Caltech administers JPL under a contract
For further information, please refer to the complete Media advisory and
the NLRB Board Decision. Case docket is available
on the NLRB website.
Administrative Law Judge Finds JPL/Caltech in Violation of US Labor Law
Recommends to National Labor Relations Board to find in favor of employees
May 9, 2013
Judge William G. Kocol recommended on May 9, 2013, that the NLRB find that JPL "engaged in unfair labor practices affecting commerce within the meaning of Section 8(a)(1) and Section 2(6) and (7)" of the National Labor Relations Act.
The employees were disciplined for disseminating protected, work-related information regarding the status of the Nelson v. NASA case. The employees filed complaints with the NLRB, which chose to pursue the case and argued successfully before the court that the employees' communications were protected under the act. Judge Kocol's findings will be taken up by the NLRB for final determination.
The full text of the finding and recommended order is available here: NLRB Decision.
Press Conference on NASA Data Breach
JPL Employees Call for Congressional Investigation into NASA Privacy Breech
November 28, 2012
Press Conference: Wednesday Nov 28 10 AM PST
At the offices of Hadsell, Stormer, Richardson & Renick, LLP
128 Fair Oaks Avenue, Pasadena CA 91103
Click here to download the press release (available 10am PST, Nov 28, 2012)
Statement from Robert M. Nelson
My name is Robert M. Nelson. For the last 34 years I have worked as astronomer doing research at Jet Propulsion Laboratory in support of NASA's Solar System Exploration Program. I was a co-investigator on NASA's Voyager Grand Tour of the Solar System and I was the Project Scientist for NASA's Deep Space 1 mission, NASA's first mission to flyby and image a comet. I am currently a member of the Cassini Saturn Orbiter mission.
Six years ago I and my colleagues at JPL were ordered by NASA to submit to background investigations of unlimited scope into the most intimate details of our private lives. We were asked to 'voluntarily' agree to allow "...any investigator, special agent, or other duly accredited representative of the authorized Federal agency conducting my background investigation, to obtain any information relating to my activities from schools, residential management agents, employers, criminal justice agencies, retail business establishments, or other sources of information. This information may include, but is not limited to, my academic, residential, achievement, performance, attendance, disciplinary, employment history, and criminal history record information." Our employer, Caltech, which manages JPL for NASA, assured us that if we did not 'voluntarily' agree to this investigation we would be fired.
In the Fall of 2007 I and 27 JPL colleagues filed lawsuit in federal district court to stop or limit the scope of these investigations. After our suit was dismissed in District Court the Ninth Circuit Court of Appeals found merit in our case and issued an injunction that blocked these open ended probes. The Ninth Circuit ruled that the investigations had to be narrowly tailored to meet the Government's specific needs. Open ended fishing expeditions were ruled out. One of our principal concerns was that such intimate personal information could not be kept sufficiently secure in the hands of the sprawling government bureaucracy. Unfortunately, on appeal, the United States Supreme Court lifted the injunction in 2011. The Supreme Court held that our personal information was amply protected under the provisions of the Privacy Act. By June 1 of this year, the background investigations of my JPL colleagues were completed or fully underway. I left JPL on April 28.
Recently, tens of thousands of NASA present and former employees and contractors received a communication from NASA informing us that a laptop computer issued to a NASA employee in Washington had been stolen last Oct 31 after being left in a parked car. The highly personal and sensitive information on the NASA computer was NOT encrypted. Some of this information includes material gathered by the open ended and unconstrained background investigators of the type described above.
We warned of this possibility five years ago when we filed our lawsuit. We were ignored by the courts. Now, unfortunately, by virtue of the cavalier behavior of a NASA bureaucrat our argument has been proven. Our nightmare of five years ago has become a reality. We therefore are asking Congress to conduct an investigation into NASA's behavior in this unsavory affair and to develop new standards which protect the privacy of federal employees.
Robert Nelson Letter to Congressional Representatives
Statement from Dennis Byrnes
I am Dennis Byrnes, Chief Engineer for Flight Dynamics at JPL until my retirement April 1, 2012. As a plaintiff in the HSPD12 Nelson v. NASA case, I was very concerned when I received the letter from Mr. Keegan of NASA regarding the stolen computer which contained personally identifiable information for over 10,000 NASA employee and contractor personnel including myself. I am further concerned over the company with which NASA has contracted to provide identity theft services for us. No information on the company was provided nor on the process for choosing them. I have expressed my concerns and requested information from NASA in an as yet unanswered email sent on Tuesday, November 20, 2012. It follows:
From: Dennis Byrnes
Date: November 20, 2012 2:03:03 PM PST
Subject: Stolen Laptop - compromised PII incident
I have received the letter from Mr. Keegan indicating that my PII was included on the stolen laptop.
I retired from JPL on April 1, 2012.
I require that you tell me precisely what information relating to me was stolen.
I wish to know more about ID Experts than is available on the web. How were they chosen, was it a competitive bid or do they have some inside advantage at HQ? What were the requirements in issuing the contract to them? What is the cost of the contract?
There is no apparent rating or reviews of ID Experts available, how do I know that they are trustworthy or will they be releasing any information that I give them to their affiliates and unknown related companies?
In your letter you list a number of recommended steps, some of which could be costly both monetarily as well as in inconvenience. Will NASA also be reimbursing me for these steps?
This situation is precisely what we warned you of in our suit against you (Nelson v. NASA) regarding the implementation of HSPD12 which went to the US Supreme Court.
I look forward to a timely reply. Thank you,
Dennis V. Byrnes
Chief Engineer for Flight Dynamics , JPL (retired)
Statement from Jim Kulleck
In the past, handling classified material was considered to be a justified reason for demanding that federal employees be subject to extended background investigation. Due to the recent ruling by the Supreme Court, anyone who now works at JPL has been compelled by NASA to relinquish their right to privacy as a condition of employment. It appears that there are no longer any objective criteria for these types of investigations.
Those who cut the grass and wash the dishes and the other 98% of the employees at JPL who do no classified work have had themselves and their families exposed to the potential of identity theft as a result of the cavalier handling of personal data by NASA and the subsequent theft of that data. During the judicial actions in this case, the plaintiff employees were not provided the opportunity for discovery, complained of the potential for data mishandling and endured false statements which were presented to the Supreme Court by the government. The Supreme Court summarily ruled in NASA's favor.
Unless there is clear evidence of illegal activity, neither the government nor businesses should be collecting information about individuals that extends beyond a person's duties as an employee. To allow various types of personal and consumer information to be accumulated enables an employer to discriminate against a potential employee without their knowledge. This, in and of itself, is inconsistent with existing employment law. Legislation needs to be implemented to correct these problems and protect individual privacy.
A Letter to Colleagues
A group of former plaintiffs in the HSPD-12 legal action wrote a
letter to their colleagues at JPL:
As you know from the August 25 e-mail from JPL Deputy Director Eugene Tattini, JPL/Caltech has
resumed HSPD12 credentialing and the associated investigations. The e-mail suggests that 25% of
employees are yet to be badged. Some of those employees have been waiting until the lawsuit was
resolved, either anticipating a better process or simply biding time. Many of them have contacted
former plaintiffs in the lawsuit with questions about the process and for guidance on how to proceed.
We address some of those questions ...
The full text of the letter can be found here.
HSPD-12 Legal Action Dismissed, Injunction Lifted
On June 22, 2011, the District Court granted NASA's motion to
dismiss the case, and vacated the injunction that halted the implementation of HSPD-12 investigations at JPL:
IT IS SO ORDERED that, in light of the United States Supreme Courtís decision
in the above-captioned matter, Defendantís pending Motion is hereby GRANTED. The
July 11, 2011 hearing on this matter is VACATED and no appearances are necessary.
Furthermore, the preliminary injunction entered by this Court on March 13, 2008 is
VACATED, and this matter is DISMISSED with prejudice, each party to bear its own
fees and costs.
In anticipation of the District Court's final proceedings following the Supreme Court's ruling in NASA v. Nelson,
the Plaintiffs had filed the following statement with the Court:
(Signed) HON. OTIS D. WRIGHT, II
UNITED STATES DISTRICT JUDGE
TO ALL PARTIES AND TO THEIR COUNSEL OF RECORD:
Plaintiffs will not oppose a motion to dismiss by Defendants, nor an order of
dismissal by this Court, in light of the following factors: 1) The Supreme Courtís
this matter, which assumed the existence of the right to informational privacy
but refused to decide its scope; 2) the fact that NASA has decided to remove the
Suitability Matrix challenged by this
injunctive relief action and replace it with a less
objectionable list of criteria; and 3) the fact that this action only presented
challenge to the background investigation process, and not a challenge to the actual
application of such an investigation.
In light of these considerations, plaintiffs hereby stipulate that the matter may be
dismissed either by the courtís own motion or upon motion of Defendants.
DATED: May 2, 2011
U.S. Supreme Court Rules for NASA in JPL Employees' HSPD-12 Privacy Case
On January 19, 2011, the U.S. Supreme Court reversed the decision of the 9th Circuit Court of Appeals and held
that the challenged questions on federal forms SF-85 (inquiring the subject on any treatment received for recent drug use) and
INV42 (sent to references and soliciting information on the subject's honesty and integrity, as well
as other general conduct, use of intoxicants, finances and mental health) do not impinge upon JPL employees' right
to informational privacy. The majority decision was written
by justice Alito. Justices Scalia and Thomas both filed opinions concurring in judgment.
The case was remanded to lower courts for further proceedings.
The majority opinion noted that "NASA will not and does not use" the "suitability matrix" previously given
by JPL management the the lab employees as the guidelines for HSPD-12 suitability determinations. The court also noted
Solicitor General's assertion that "NASA views treatment or counseling solely as a "mitigat[ing]" factor
that ameliorates concerns about recent illegal drug use."
American Astronomical Society Leadership Write to NASA Deputy Administrator Ms. Lori Garver
The letter states, in part:
Dear Ms. Garver:
The full text of the letter and the
AAS Amicus Curiae filing are available.
We are writing to you in our capacities as President of the American Astronomical Society (AAS) and Vice-Chairman of
its largest division, the Division for Planetary Sciences (DPS) on the
issue of background investigations of members of NASA's Jet Propulsion Laboratory staff,
many of whom are AAS-DPS members. The Supreme Court has ruled that
background investigations of federal contract employees like those at JPL are permissible where appropriate, but
the nature and breadth of the background investigations remain at the discretion of the
individual agency (Case #09-530). The decision regarding how NASA proceeds is in the hands of you and
We hope that you might consider our suggestions as you deliberate this question. We have worked with many of the plaintiffs and
submitted an Amicus Curiae brief to the Supreme Court (the first in the
112-year history of the AAS) in connection with this case. We understand
that while the case was motivated by matters of unlimited investigations of personal privacy, we
are also strongly concerned that an intrusive background investigation policy will detract from NASA's ability to draw
the highest level of technical talent for the Agency's mission. Our
view is summarized in the wording of the AAS Amicus Curiae, which said, in part, "Yet, a
significant number of US astronomers would be or are unwilling to work in an environment where they are subject to
intrusive, open-ended background investigations at issue here. Their loss
will impact the entire professional community - even those individuals
that agree to undergo the background investigations."
Please consider the following:
1) Homeland Security Presidential Directive #12 (HSPD12) requires only that a uniform identification badge be established for
all employees and contractors at federal facilities. Background investigations are never mentioned in the directive[...]
We suggest that an approach modeled on the DOE and NSF implementations would lead to a
reasonable closure of the HSPD12 matter. It is a solution that respects the security concerns of the government, the privacy concerns of JPL employees,
and maintains the broadest reasonable access for the astronomical community to
participate fully in exciting work that brings us all to NASA.
2) Some agencies such as the National Science Foundation did not issue new credentials to employees at
facilities under their cognizance. At Department of Energy-administered FFRDCs where little
or no classified work is done (e.g., Fermilab), HSPD12 procedures were
not imposed on workers who did not do classified work [...]
Debra M. Elmegreen, President
American Astronomical Society
Daniel Britt, Vice-Chairman
AAS Division for Planetary Sciences
An Open Letter from the plaintiffs to their JPL colleagues.
Science and Civil Liberties Stakeholder Support
Amicus curiae briefs in support of JPL employees have been filed by
American Astronomical Society,
Union of Concerned Scientists,
Electronic Frontier Foundation,
The American Civil Liberties Union,
Drug Policy Alliance,
The Electronic Privacy Information Center and Legal Scholars and Technical Experts, and
California Employment Lawyers Assocaition.
Our superb legal team -- Hadsell, Stormer, Keeny, Richardson & Renick LLP -- is
one of the nation's premier civil rights firms, and has given generously of
their time to fight for our rights. We are urging supporters to contribute to the legal fund.
Please send your donations, payable to "HSKRR", to Bob Nelson,
775 N. Mentor Ave., Pasadena, CA 91104.
Current Status as of July 11, 2011
- Injunction: No longer in force.
- Court Case against NASA: Dismissed.
Dr. Robert Nelson, lead plaintiff, provides a brief summary of the case in an interview with
Law and Disorder Radio (audio also
available here, at 8:30 minute mark).
For more details on the legal case, please see the
Lawsuit(Updated 9/24/10) and
Timeline(Updated 9/24/10) pages.
- On May 17, 2010, Office of Personnel Management issued
a Federal Investigations Notice stating, in part:
As you may know, questions have arisen in recent litigation as to whether any additional
standards may be used for identity credentialing. In Nelson v. NASA, 530 F.3d 865 (9th Cir. 2008), cert. granted,
No. 09-530, 2010 WL 757694 (2010), a case now before the
U.S. Supreme Court, a group of individuals employed by a NASA contractor at NASA's Jet Propulsion Laboratory
(JPL) have sued to enjoin the Government from conducting the background checks necessary for issuing
identity credentials under HSPD-12.Those individuals contend that the government will make identity
credentialing decisions based on an "issue characterization chart" posted on JPL' s intranet site.
That chart lists standards that are different from those prescribed by OPM in the guidance described above.
In light of the questions raised by the plaintiffs in the Nelson litigation, OPM issues this further
memorandum to ensure that there is no confusion or misinformation about the factors that
Government agencies may consider when making credentialing determinations.
A publicly accessible document containing the chart at issue as Attachment 2, "Office of Personnel Management Issue Characterization Chart",
NASA Desk Guide for Suitability and Security Clearance Processing, was replaced in early 2010 with a stub document
stating that "THIS DOCUMENT IS NO LONGER AVAILABLE FOR VIEWING". The stub metadata dates the document as 2/16/2010.
A local copy of the Desk Guide is still available.
It mentions "carnal knowledge", "attitude", "sodomy", "keeping house of ill repute", "bestiality", "displaying of obscene material" as
disqualifying factors. "Cohabitation, adultery, illegitimate children" could also be disqualifying.
- NASA HSPD-12 badge holder is a health hazard.
- January 31, 2008. Robert Nelson, Dennis Byrnes and Susan Foster, plaintiffs in the matter Nelson et al. vs. NASA,
Dept. of Commerce and Caltech, on behalf of concerned Caltech employees at JPL wrote a
letter highlighting the Appellate Court injunction
decision and seeking help and support from the broader Caltech academic community. This and previous letters, as well as other
material distributed to JPL and Caltech community can be found on the Reference Documents page
- In the ongoing proceedings in the District Court, plaintiffs move to certify the following class (suppl.)
for injunctive and
All current and future employees and subcontractors of the California Institute of Technology hired to work at the
Jet Propulsion Laboratory, or required to have physical or electronic access to that laboratory, who hold "non sensitive" or
low risk positions, and are required to complete OPM Standard Form 85 and submit to a background investigation as set forth in
NASA Interim Directive 1600.1.
- See more details on the Lawsuit, Press releases, and Media
Other new things on this site
- Interactive timeline of the court proceedings and the associated events.
- If you want a T-shirt, button, mousepad, or mug, please visit cafepress.com/hspd12jpl. This
is the recommended way for people outside of the local area to acquire
these items. (JPLers can also get one by contacting the webmaster.) We don't get any
of this money, but it is still a great way to show your support!
- JPL scientists call for senate inquiry. Read their letter, which is also archived on
the reference documents page.
- See an informational
brochure you can print and distribute yourself. It's on the
reference documents page, too.
- On June 3, 2008 U.S. Reps. Kucinich and Davis addressed HSPD-12
among other NASA workforce issues in the context of
NASA's budget authorization:
...we recommend that H.R. 6063 include a provision that requires that NASA halt implementation
of its new policy of reinvestigating employees in low-risk positions, until the constitutionality
of this process is fully settled by the Courts. The President issued Homeland Security Policy
Directive #12 to mandate that all civil servant and contractor employees who have access to
federal facilities be subjected to standard background checks and be issued standardized
badges that can allow Agencies to reliably verify an employee's identity. While we do
not object to this security measure, its implementation has been flawed. NASA has used
HSPD-12 to instigate a new security policy, NPR1600.1, which establishes periodic
reinvestigation of long-time NASA civil-servant employees who have already passed earlier
background checks. Furthermore, the affected positions include those rated as low-risk.
The process is so intrusive, the 9th circuit Court of Appeals issued an injunction preventing
its implementation for the Jet Propulsion Laboratory contract employees pending judicial review.
Regrettably, NASA has decided to interpret this injunction narrowly and to move forward with
re-investigations of low-risk civil-service employees using the same constitutionally suspect
process. We believe that the decision to go beyond HSPD-12 and to subject NASA's civil service
employees to an unnecessary, expensive and intrusive invasion of privacy is unwarranted and unwise.
- On April 9, 2008, U.S. House of Representatives Subcommittee on Government Management, Organization and Procurement
(Committee on Oversight and Government Reform) held a hearing,
"Federal Security: ID Cards
and Background Checks."
"The hearing [released] a new Government Accountability Office
(GAO) report finding that the program is
incurring high costs but providing little benefit to date..."
Letters written to the committee are on our Forum. We encourage you to post yours as well.
- No federal agency met the October 27, 2007 deadline
to complete the HSPD-12 background checks
- IRS wasted millions of dollars
implementing HSPD-12, according to an
Inspector General report. The same report cites the estimated 14-year cost of implementing HSPD-12 at
the Dept. of the Treasury (with 1.5x as many personnel as NASA), at $421 Million, a bit over the cost of
a Mars scout mission
- NASA's Johnson Space Center employees and contractors
are concerned about HSPD-12.
- Ames Federal Employees Union is concerned about
aspects of HSPD-12 rebadging.
- Contractor employees of U.S. Department of Education have a problem
with the "security screenings".
Welcome to the fight against JPL's rebadging process. This site contains
information about why the $6 million rebadging process is unfair,
unethical, and illegal. Read about it for yourself, and if you agree
with us, join our fight against it!
You may be shocked when you find out what is really involved, how
dangerous it is, and how much of your freedom you are giving up. To get
rebadged, you don't simply provide information on forms-- you provide
information that begins an investigation of you.
Did you know:
- That the release form on the SF85 or SF85P authorizes an
investigator to obtain "any information" on you from schools,
residences, employers, criminal establishments, and any other sources,
and that the investigation is explicitly "not limited"?
- That each of the neighbors, supervisors, and references you are
required to provide will be sent a questionnaire asking about
your "mental or emotional stability," "financial integrity," and "abuse
of alcohol and/or drugs," among other things?
- That SF85 remains in effect for two years, whether or not you stay
at JPL? In other words, federal agents can use your SF85 release as
permission to investigate you for two full years, even if you are no
longer affiliated with a federal agency
- That the new rules prevent JPL from issuing retiree badges?
- That the official SF85 and SF85p forms describe the process as
"voluntary," but that jpl will terminate your employment if you don't
fill it out?
This is just a sampling of why the process is causing concern. If these
provisions worry you even a little, you may want to read the FAQ and
in-depth research to learn more.
If you are new to how HSPD-12 works at JPL, you may also want to read
this overview of HSPD-12 and the JPL rebadging