A former Jet Propulsion Laboratory scientist who took his concerns about worker privacy to the US Supreme Court is now questioning NASA’s handling of what he and his attorney are calling a major breach of privacy involving all employees of the nation’s space agency.
Dr. Robert Nelson, who resigned in April after 34 years as an astronomer at JPL, is one of thousands of employees past and present recently notified by NASA that sensitive personal information collected under the mandates of a controversial presidential directive — Homeland Security Presidential Directive #12, or HSPD12 — may have been contained in a laptop computer stolen from a car parked outside NASA’s Washington, DC, offices on Halloween.
Nelson, who formerly worked on NASA’s Solar System Exploration Program, served as a co-investigator on NASA’s Voyager Grand Tour of the Solar System and was the project scientist for its Deep Space 1 mission, and other space agency employees said they were afraid something like this would happen when they argued in 2007 against HPSD12, signed by former President George W. Bush.
The directive requires all NASA employees to acquire and show a common employee badge. JPL is owned by NASA and managed by Caltech. HSPD12 also forces all employees to submit to intensive background searches that can delve into criminal backgrounds, sexual practices, academic records, spending habits and any other subject the privately employed investigators decide to ask about.
“We warned of this possibility five years ago when we filed our lawsuit,” Nelson said of his suit against NASA, which was upheld by the US Court of Appeals for the Ninth Circuit in Pasadena but later overturned during appeal by the US Supreme Court in Nelson v. NASA.
“We were ignored by the courts,” Nelson said. “Now, unfortunately, by virtue of the cavalier behavior of a NASA bureaucrat, our argument has been proven. Our nightmare of five years ago has become a reality.”
That nightmare scenario began shortly after a NASA employee left work on Halloween night with a password-protected, but unencrypted, laptop computer containing information on some 10,000 NASA employees obtained from background checks ordered by HPSD12. Later that evening, the laptop was stolen, putting thousands of people at risk, according to Nelson’s Pasadena attorney Dan Stormer, who unsuccessfully argued the case against HSPD12 before the Supreme Court.
“What are the odds a computer sitting on a dashboard in a parked car in Washington, DC, would be stolen on Halloween night,” Stormer said sarcastically. “It is outrageous that low-level, no-risk employees have to needlessly reveal highly personal information. To add insult to injury, NASA recklessly allows repeated releases of this private information. This is a scandal and a shame.”
NASA officials won’t say exactly how the computer ended up in the car or if any arrests have been made as a result of the theft. Last week, NASA spokesman Allard Beutel said the agency would from now on encrypt all laptops and personal information to ensure against possible breaches in the future.
According to Beutel, the agency will no longer allow laptops to leave the facility. “We take this very seriously,” he said in an interview Friday. “We get the importance. There’s no disagreement.”
Actually, since 2007 nothing could be further from the truth, according to Stormer and his clients, who include former JPL employees Dennis Byrnes and Jim Kulleck. Their information may have also been compromised with the laptop theft.
“Those who cut the grass and wash the dishes, and the other 98 percent of the employees at JPL who do not do classified work, have had themselves and their families exposed to the potential of identity theft,” Kulleck pointed out.
In a letter revealing the theft of the computer, NASA said it is protecting its employees by paying for an identity protection program that would alert workers if someone attempted to access credit files. However, the agency has refused to reveal the name of the company performing the service and the reason why it was chosen.
Stormer is calling for a congressional investigation to determine why the laptop was not encrypted. If Congress fails to act, Stormer said he would file a class-action lawsuit against NASA.
On Nov. 28, Congressman Adam Schiff, D-Glendale, called on NASA to provide more information on security measures regarding the agency’s sensitive information.
“I am deeply concerned with the vulnerability of our networks,” Schiff wrote in a prepared statement. “And as a member of the appropriations subcommittee that oversees and funds NASA, I will be calling on the agency to report on and accelerate its efforts to maintain data security. The low-tech theft of a laptop is troubling enough, but it only scratches the surface of potentially far greater data vulnerabilities.”
US Rep. Judy Chu, D-Pasadena, also said in a statement she would push the agency to improve data security.
“NASA has previously had security breaches of sensitive information,” Chu said. “It has to stop.”
This isn’t the first time a laptop computer with sensitive information has been lost by NASA, according to a 2009 report in The New York Times. In the story “NASA Needs to Remedy Vulnerabilities in Key Networks,” the Government Accountability Office (GAO) said the agency had reported 1,120 “security incidents” in 2007 and 2008 alone. The report also revealed that in 2009, a NASA center reported the theft of a laptop containing about 3,000 unencrypted files about arms traffic regulations and wind tunnel tests for a supersonic jet.
Nelson’s battle against JPL began when he publicly objected to HPSD12 after he and other employees were told they would be fired if they did not submit to background checks.
“We’re not against the notion that an employer such as Jet Propulsion Laboratory should do a background investigation on its employees,” Nelson said. “It certainly needs to know where I went to school, what my degree is in and are the scientific papers that I claim I wrote really the papers I wrote? Just because they need to know that I wrote a scientific paper doesn’t mean they need to know every person I went to dinner with, or every person I slept with, which they do consider their prerogative.”
To make matters worse, precedence in a previous case, Department of the Navy v. Egan, makes it impossible to appeal any adverse findings from a background check. HSPD12 applies to all employees of JPL, even those like Nelson, who have never handled classified files and information or worked on high-profile projects like recent unmanned space flights to Mars.
Nelson and two dozen other JPL employees filed suit, but a federal judge allowed JPL to go forward with the background checks. The appellate court later overturned that decision and imposed an injunction protecting the employees, ruling that the background investigations must be narrowly tailored to meet NASA’s specific concerns. That ended what opponents of HSPD12 had referred to as open-ended fishing expeditions.
But that decision was overturned by the US Supreme Court after NASA supposedly changed the way it conducted the inquiries and claimed employees would be protected by the Privacy Act, which prohibits agencies from disclosing records without written consent from the person to whom the records pertain.
“It gives me little pleasure to say that we told you so,” Nelson said. “But we did. Five years ago, we warned of this possibility that if the government had this kind of information at this kind of detail, that it will surely be leaked.”