After failing to prevent the terrorist attacks of September 11, 2001, the U.S. government realized it had an information sharing problem. Local, state and federal law enforcement agencies had their own separate surveillance databases that possibly could have prevented the attacks, but they didn’t communicate any of this information with each other. So Congress directed the newly formed Department of Homeland Security to form “fusion centers” across the country, collaborations between federal agencies like DHS and the FBI with state and local police departments, to share intelligence and prevent future terrorist attacks.
Yet in 2012 the Senate found that fusion centers have “not produced useful intelligence to support Federal counterterrorism efforts,” that the majority of the reports fusion centers produced had no connection to terrorism at all, and that the reports were low quality and often not about illegal activity. Fusion centers have also been criticized for privacy and civil liberties violations such as infiltrating and spying on anti-war activists.
Last month, the transparency collective Distributed Denial of Secrets published 269 gigabytes of law enforcement data on its website and using the peer-to-peer file sharing technology BitTorrent. The data, stolen from 251 different law enforcement websites by the hacktivist collective Anonymous, was mostly taken from fusion center websites (including many of those listed on DHS’s website), though some of the hacked websites were for local police departments, police training organizations, members-only associations for cops or retired FBI agents, and law enforcement groups specifically dedicated to investigating organized retail crime, drug trafficking, and working with industry.
After the BlueLeaks data was published, Twitter has permanently suspended the DDoSecrets Twitter account, citing a policy against distributing hacked material. Twitter has also taken the unprecedented step of blocking all links to ddosecrets.com, falsely claiming, to users who click that the website may be malicious. Twitter is implementing these policies arbitrarily; for example, the WikiLeaks Twitter account and links to wikileaks.org are still accessible despite the large amount of hacked material that WikiLeaks has published. Following Twitter’s example, Reddit banned the r/blueleaks forum — citing its policy against posting personal information — where users discussed articles based on leaked documents and their own findings from digging through the BlueLeaks data. German authorities have seized a server belonging to DDoSecrets that was hosting BlueLeaks data, leaving BitTorrent as the only way the data is currently being distributed by the organization. (For the record, I’m a member of DDoSecrets’ advisory board.)
“I think the bans are simple attempts to slow or stop the spread of the information and news,” Emma Best, a co-founder of DDoSecrets, told The Intercept. “The fact that the server was seized without a warrant or judicial order and now sits idle while the Germans debate whether or not to let FBI have it simply emphasizes the conclusion that censorship and retaliation, not just investigation, are the driving forces,” they added.
All of the hacked websites were hosted and built by the Texas web development firm Netsential on Windows servers located in Houston. They were all running the same custom (and insecure) content management system, developed using Microsoft’s ASP.NET framework in the programming language VBScript, using Microsoft Access databases. Because they all run the same software, if a hacker could find a vulnerability in one of the websites that allowed them to download all the data from it, they could use that vulnerability to hack the rest of the websites without much additional effort.
The hacked data includes a massive trove of law enforcement documents, most of which dates from 2007 until June 14, 2020, well into the wave of anti-police brutality protests triggered by the police murder of George Floyd in Minneapolis. The data also includes the source code for Netsential’s custom CMS — while analyzing it for this story, I discovered a vulnerability myself — and the content of the databases that these websites used.
“Netsential can confirm its web servers were recently compromised,” the company said in a statement on its website, which itself runs this same CMS. “We are working with the appropriate law enforcement authorities regarding the breach, and we are fully cooperating with the ongoing investigation. We have enhanced our systems and will continue to work with law enforcement to mitigate future threats. Netsential will continue to work with clients impacted by the intrusion. Inasmuch as this is an ongoing investigation, and due to the sensitivity of client information, Netsential will provide no further statement while the matter is pending.“
“It’s a disaster for law enforcement from a PR perspective,” Phillip Atiba Goff — CEO and co-founder of Center for Policing Equity, an organization that uses data science to combat racial bias within U.S. police departments — told me in an encrypted phone call. “That there is worse stuff than what we’re seeing, that it’s not just individual [police] Facebook accounts but it’s part of the culture of the department — that doesn’t surprise me. That shouldn’t surprise anyone.”
The vast majority of people who have logins on these hacked websites are law enforcement officers, and Netsentiel’s CMS stores quite a lot of personal information about each account.
For example, the Northern California Regional Intelligence Center has 29,114 accounts, and each one includes a full name; rank; police department or agency; email address; home address,; cellphone number; supervisor’s name, rank, and email address; the IP address used to create the account; and a password hash — a cryptographic representation of the user’s password (hashed with 1,000 iterations of PBKDF2 and a 24-byte salt, if you’re that kind of nerd). If a user’s password is weak, hackers with access to its hash could crack it to recover the original password, potentially leading to a giant list of all the weak passwords used by U.S. law enforcement.
This is from a single fusion center. The BlueLeaks data contains similar information for 137 separate websites, though most have fewer accounts and not every website contains all of these pieces of information. Some don’t contain password hashes.
The two largest account databases come from the National Guard’s counterdrug training program website, with more than 200,000 accounts exposed, and the Los Angeles High Intensity Drug Trafficking Area training program website with nearly 150,000 accounts exposed. In total, the hacked data includes private details for over 711,000 accounts.
“I get that there’s a community concern that there’s not accountability for law enforcement, and there’s a desire among a nontrivial portion of the population for something like not justice but vengeance, and there’s a feeling that the entire population of law enforcement is to blame for what we’ve seen in the streets,” Goff said. “I really pray that no officer is hurt because of this. Even more I pray that no officer’s family is hurt because of this.”
Many of the websites belonged to traditional fusion centers, such as Minnesota’s fusion center called ICEFISHX, the Alabama Fusion Center, and even the Mariana Regional Fusion Center based in the Mariana Islands, a U.S. commonwealth in the North Pacific.
But a number of the hacked websites belong to organizations in which law enforcement agencies partner with industry, such as:
Many of the hacked websites belong to high intensity drug trafficking area programs, or HIDTAs, essentially fusion centers focused solely on the war on drugs. These include Atlanta-Carolinas HIDTA, New Mexico HIDTA, Puerto Rico-U.S. Virgin Islands HIDTA, as well as many others.
Some of the hacked websites belong to local police departments, such as the Jersey Village Police Department in Texas, which prominently displays a link to request a “vacation house watch.” In this case, partners who log in to the website appear to be individuals who live or own property in Jersey Village. Websites belonging to the Lamar University Police Department (also in Texas), the Burlingame Police Briefing Board (in California), and several other local police departments were among those hacked.
Many of the hacked websites belonged to training academies for law enforcement, such as the Iowa Law Enforcement Academy, the Amarillo College Panhandle Regional Law Enforcement Academy, and many others. The Los Angeles Police Department Detective Training Unit website, which was taken offline after the data breach, offers courses taught by billionaire Peter Thiel’s private surveillance company Palantir.
Finally, several of the hacked websites belong to members-only associations like the Houston Police Retired Officers Association, the Southeastern Michigan Association Chiefs of Police, and associations for various chapters of the FBI National Academy Associates.
A week after Derek Chauvin, a Minneapolis police officer, knelt on George Floyd’s neck for eight minutes while he lay handcuffed in the street until he died, triggering massive nationwide protests, a young political science major in Oregon was contacting lawyers. “I am a long time activist and ally of the Black Lives Matter movement,” she wrote to a Bay Area law firm. “Is there anyway[sic] that I could add your firm, or consenting lawyers under your firm, to a list of resources who will represent protesters pro bono if they were/are to be arrested? Thank you very much for your time.”
A lawyer who read this message was infuriated and anonymously reported the student to the authorities. “PLEASE SEE THE ATTACHED SOLICITATION I RECEIVED FROM AN ANTIFA TERRORIST WANTING MY HELP TO BAIL HER AND HER FRIENDS OUT OF JAIL, IF ARRESTED FOR RIOTING,” he typed into an unhinged letter, in all-caps, that he mailed to the Marin County District Attorney’s office, just north of San Francisco.
He explained that he was remaining anonymous because he “CANNOT RISK THIS PIECE OF SHIT ANTIFA […] FILING A BAR COMPLAINT AGAINST ME,” and warned that “THE SAN FRANCISCO PUBLIC DEFENDERS WILL VIGOROUSLY DEFEND THESE TERRORISTS.” He ended his letter, “HAPPY HUNTING.”
An investigator in the Marin County DA’s office considered this useful intelligence. She logged into the Northern California Regional Intelligence Center’s CMS and created a new Suspicious Activity Report, or SAR, under the category “Radicalization/Extremism” and typed the student’s name as the subject. “The attached letter was received via US Postal Service this morning,” she wrote in the summary field. The student “appears to be a member of the Antifa group and is assisting in planning protesting efforts in the Bay Area despite living in Oregon.”
She uploaded a scanned PDF of the letter to the fusion center. The return address on the envelope was the address of the San Francisco District Attorney’s office. The Intercept could not confirm if the attorney who reported this student works with the San Francisco DA or not.
This is one example from over 1,200 community-submitted SARs in the BlueLeaks data, the bulk of which are included in the data of 10 different fusion sites. Here are a few others.
A probation officer posted a SAR to the Orange County Intelligence Assessment Center stating, “3 young females with hijabs were videotaping the LJC [juvenile court] building,” and adding: “Although it is their constitutional right to video tape it did make me very concerned.”
Google reports threatening YouTube comments to the Northern California fusion center in the form of SARs, regardless of where the abusive YouTube user is located. For example, in June, Google reported a series of comments that a user from Michigan posted to different videos. Here is an example of one of his comments:
He was only a nigger. Who cares. With the years of unprovoked anti white attacks and contribution to white genocide. I feel nothing for nigger deaths. Or view them as human. Way they act. Trump 2020 and why I still refuse to serve niggers in my diner to the point I have history of pointing my gun at any who still enter despite the sign outside. That includes ones in police uniform who could be fake cops in stolen uniforms. Would be like letting in the Devil.
It’s unclear what the fusion center does with this information, if anything. But this SAR reported by Google is the only place in all of the BlueLeaks data where this YouTube user’s display name or email address appears.
In all, the BlueLeaks archive contains more than 16 million rows of data from hundreds of thousands of hacked database tables: not just personal information of officers, but the content of bulk emails and newsletters, descriptions of alleged crimes with geolocation coordinates, internal survey results, website logs, and so much more. It also contains hundreds of thousands of PDFs and Microsoft Office documents, thousands of videos, and millions of images.
“I think that law enforcement can be better if [evidence of police crimes and racial bias] can be made more public,” Goff said. “The emails and records that I’ve seen could absolutely take down the entire profession.”