Excerpt
The un-vetted computer engineer plugged into law enforcement networks and a database of 5 million Arizona drivers in a possible breach that was kept secret for years.
Lizhong Fan’s desk was among a crowd of cubicles at the Arizona Counter Terrorism Information Center in Phoenix. For five months in 2007, the Chinese national and computer programmer opened his laptop and enjoyed access to a wide range of sensitive information, including the Arizona driver’s license database, other law enforcement databases, and potentially a roster of intelligence analysts and investigators.
The facility had been set up by state and local authorities in the aftermath of the 9/11 terror attacks, and so, out of concerns about security, Fan had been assigned a team of minders to watch him nearly every moment inside the center. Fan, hired as a contract employee specializing in facial recognition technology, was even accompanied to the bathroom.
However, no one stood in Fan’s way when he packed his equipment one day in early June 2007, then returned home to Beijing.
There’s a lot that remains mysterious about Fan’s brief tenure as a computer programmer at the Arizona counterterrorism center. No one has explained why Arizona law enforcement officials gave a Chinese national access to such protected information. Nor has anyone said whether Fan copied any of the potentially sensitive materials he had access to.
But the people responsible for hiring Fan say one thing is clear: The privacy of as many as 5 million Arizona residents and other citizens has been exposed. Fan, they said, was authorized to use the state’s driver’s license database as part of his work on a facial recognition technology. He often took that material home, and they fear he took it back to China.
Under Arizona law, then-Gov. Janet Napolitano and Maricopa County Sheriff Joe Arpaio, whose agencies admitted Fan into the intelligence center, were required to disclose to the public any “unauthorized acquisition and access to unencrypted or unredacted computerized data” that includes names and other personal information.
To this day, they have not.
Terry Goddard, attorney general of Arizona in 2007, said Fan’s access and disappearance should have been reported to his office, but it was not. Arizona law puts the attorney general in charge of enforcing disclosure.
The state was supposed to have scrubbed drivers' names and addresses from the license data. State officials denied requests to discuss the extent of the data breach, including what personal information was in the files.
In fact, a review of records shows that David Hendershott, who was second-in-command at the sheriff’s office, moved aggressively to maintain silence, a silence that has now lasted some seven years. Two weeks after Fan departed, Hendershott directed others in writing not to discuss Fan and the possible breach. In an email to the outside contractor that had hired Fan, Hendershott wrote: “Keep this between us and only us.”
Even among administrators at the Phoenix center, very few learned that the Chinese programmer had left the country or that their own personal information might have traveled with him. Mikel Longman, the former criminal investigations chief at the Arizona Department of Public Safety, said he received no warning about the incident.
“That really is outrageous,” Longman said. “Every Arizona resident who had a driver’s license or state-issued ID card and all that identifying stuff is potentially compromised. That’s a huge breach.”
Napolitano, who went on to serve as President Barack Obama’s secretary of Homeland Security, did not reply to multiple interview requests.
Hendershott, Arpaio’s longtime chief deputy, hung up on a reporter when reached by telephone. The sheriff’s office fired Hendershott in 2011 over an array of alleged misconduct. And he in turn filed suit in 2012, saying his legitimate law enforcement work had been mischaracterized as abuses of power. His suit was dismissed earlier this year. Today, he sells real estate in west Phoenix.
Col. Robert Halliday, the director of the Arizona Department of Public Safety who formally oversaw the operations of the intelligence center at the time Fan worked there, also did not respond to repeated interview requests.
Current officials with a handful of agencies involved with the intelligence center offered a variety of reasons for declining to answer questions about Fan and the possible breach.
The public safety agency initially denied that any potential breach had happened, then said the matter was the subject of a confidential FBI investigation. Later still, the department argued the case was a personnel matter, and thus the agency would not comment as a matter of policy. The sheriff’s office said that during the time that Hendershott was still working for the agency, he never reported anything about Fan – his hiring, his work or his flight.
Seven years after the potential breach, then, it is still unclear how closely law enforcement looked into the incident or what steps, if any, it took as a result. The FBI opened a probe shortly after Fan’s disappearance, according to records and a former federal investigator, but the bureau has never made its findings public.
Perryn Collier, spokesman for the FBI’s Phoenix office, said the bureau won’t comment on investigations involving Fan.
Chinese espionage has made news in recent months as federal investigators have revealed successful assaults by hackers against businesses and government. Last March, homeland security officials in Washington discovered that cyber attackers later traced to China had accessed data on federal workers who’ve applied for top-secret clearance. These electronic break-ins were conducted remotely, continents away from the servers holding the data.
How the Phoenix intelligence center found itself vulnerable to a serious security breach, however, was neither much of a technological feat nor, it seems, the result of masterful espionage. Indeed, an investigation by The Center for Investigative Reporting and ProPublica – built on more than 50 interviews and the examination of thousands of pages of federal investigative reports, criminal and civil court filings, internal correspondence and immigration records – shows the episode at the intelligence center came off rather easily.
John Lewis arrived as the FBI’s special agent in charge of the Phoenix division in the spring of 2006. Lewis, now director of security for the Lawrence Livermore National Laboratory in the San Francisco Bay Area, had a vague recollection of a contractor or subcontractor working at the center. But he said he did not specifically recall that the person was a foreign national, nor did he have any “immediate recollection” of a security breach.
“No one ever sat in my office and asked about having a foreign national inside the fusion center. That’s nuts,” Lewis said, adding that if he had been asked, his response would have been, “Can we do a little bit better guys?”
The chance that Fan made off with a raft of sensitive material was made possible by a set of cozy relationships – among a tainted sheriff’s official, a dubious technology startup company and a woman who U.S. government officials think is a Chinese spy.