Almost two weeks after a Minneapolis police officer killed George Floyd while he was handcuffed face down in the street, a hacker began exfiltrating 19 gigabytes of documents from the poorly secured Northern California Regional Intelligence Center website. The NCRIC (pronounced “nick-rick”) fusion center shares information between federal agencies, local police departments across northern California, and private industry partners, including Silicon Valley companies. It also provides local cops with analytical and technical support services such as monitoring social media or helping break into locked smartphones, and it hosts events and law enforcement-related courses.
The hacked data from NCRIC, provided to transparency collective DDoSecrets by a source identifying with the hacktivist collective Anonymous, was part of a larger breach of 251 police websites across the country known as BlueLeaks. German authorities, acting on behalf of the U.S. government, seized the server DDoSecrets was using to distribute the BlueLeaks data, though the data itself is still publicly available on the internet using the peer-to-peer file sharing technology BitTorrent. (Note: I’m a member of the DDoSecrets advisory board.)
The NCRIC documents, from a 13-day period between George Floyd’s killing on May 25 and the evening of June 6, when the latest information was exfiltrated (judging from time stamps found in the leaked material), provide an unprecedented window into the internal workings and priorities of Northern California’s police intelligence agency during the recent waves of anti-police brutality protests.
One way that NCRIC shares information is by sending bulk emails to its partners. Since the protests began, these have included vague, fear-inducing memos from the Department of Homeland Security and the FBI about the threat of violent civil unrest, as well as more specific information, including emails sent at 10 a.m. and 6 p.m. every day to more than 14,000 police officers across Northern California with updated lists of Black Lives Matter protests. During the 13-day period covered in the hacked files, over half of the bulk emails NCRIC sent were related to monitoring and policing the largely peaceful protests.
Local police and other partners send information back to NCRIC by submitting “Suspicious Activity Reports.” Of the 21 civil unrest-related “suspicious activities” during this period, most were local police posting information about upcoming protests, screenshots of tweets and Instagram posts about looting and rioting, as well as two instances of people threatening to shoot and kill Black Lives Matter protesters.
Another way local police interface with NCRIC is by requesting support. Of the 20 civil unrest-related support requests during this period, most were providing information about upcoming protests to be added to the daily protest emails as well as requesting help monitoring social networks for information about the protests. Two of the requests asked for help identifying threats against white female teenagers who were facing doxxing or harassment after making racist statements and using anti-Black racial slurs.
Notably, a substantial portion of the intelligence on Black Lives Matter protests flowed through NCRIC’s Terrorism Liaison Officer program, whose purpose is to keep the intelligence center’s members “engaged & knowledgeable about current terrorist tactics, techniques & trends, regional crime trends & threats, and Officer safety information.” The terror-info program became a clearinghouse for information on upcoming demonstrations.
The weekend after Floyd’s killing, when Black Lives Matter protests were erupting throughout the country, NCRIC’s TLO sent an email to its 14,406 subscribers — mostly local police officers across Northern California — with a PDF containing a list of upcoming protests, their times, locations, and sometimes links to more information. “We will be providing a list of local protests twice daily at 1000 and 1800, until further notice,” the email said. “This information is for Situational Awareness only. Agencies may use this information for planning/staffing purposes or as they see fit,” adding, “Some of these events involve criminal activities such as planned looting, vandalism and threats of violence.”
Between May 31 and June 6, NCRIC sent these emails out every morning, and again with an updated list every evening.
June 5’s evening email listed 46 protest events scheduled for June 6 in San Francisco, San Jose, Palo Alto, Berkeley, Oakland, and other Bay Area cities, as well as 36 other events scheduled for the following days. For example, the “Noe Valley Police Violence Protest With Social Distancing” was scheduled for June 6 at 11 a.m., and the “SF Kids Peace March” was scheduled for June 7 at 2 p.m. While the vast majority of the events were Black Lives Matter protests, some had different topics, such as a “6 Feet and Grieving COVID 19 remembrance” event in Oakland.
“The fact that fusion centers are sending out lists of protests and other activities that are protected by the First Amendment is constitutionally suspect,” Vasudha Talla, a senior staff attorney with the American Civil Liberties Union of Northern California, told The Intercept. “They may try to justify it by attaching text alluding to the potentiality of certain criminal activity, but it’s clear from the documents that you showed me that there is no reasonable suspicions attached to any of these events.” She added, “Really what we have here is overbroad collection and dissemination of people’s protected First Amendment activity, and it’s untethered to any basis in the law.”
“Sending out lists of protests and other activities protected by the First Amendment is constitutionally suspect.”
Mike Sena, NCRIC’s executive director, told The Intercept that the fusion center no longer distributes daily lists of protests. “During that period of time we had just had an attack on the Ronald Dellums Federal Building,” he said, referring to the May 29 killing of Dave Patrick Underwood, a private security officer guarding the federal building in Oakland. Steven Carrillo, a far-right extremist and member of the so-called Boogaloo movement, who “came to Oakland to kill cops” according to the FBI, was charged on June 11 in the murder of Underwood. When asked at what point NCRIC stopped distributing lists of protests, Sena said, “I believe it was after the suspects were taken into custody, from that attack. At least the known suspects were taken into custody. We don’t have that going on anymore.”
Sena also claimed that NCRIC was keeping track of Black Lives Matters protests in order to make sure that they remained safe. “We weren’t keeping track of the protests themselves, but we were identifying where we were gonna have gatherings of people,” he said. “That’s our concern is, we want to make sure the events are safe. And if there are any threats that come up that may be associated with any of those events that we’re able to get that threat data to whatever agency may have protection responsibilities.”
Talla disagreed. “At the end of the day what you have is federal agencies, not only DHS but the FBI, monitoring people’s constitutionally protected activities without any reasonable suspicion,” she said. “Even though the agencies may include in some of these documents a disclaimer that they are not targeting First Amendment activities as such, if you actually look at what they’re doing, it’s clear that there is no criminal activity that they can point to to justify the overbroad collection and monitoring of protests. They have no basis to do that.”
Beginning with the second protest list that was emailed out, the footer of each PDF says: “This document is not subject to the California Information Practices Act and contains information that may be exempt from public release under exemptions provided by the California Public Records Act,” and “This information is not to be released to the public, the media, or other personnel who do not have a valid ‘right and need-to-know’ without approval of the NCRIC.”
Sena claimed that the reason these documents were exempt from public records requests, and were not supposed to be released to the public or the media, is because they could be used as a target list by someone who wanted to attack the protesters.
“Simply attaching a tagline to a document saying ‘This is exempt from the California Public Records Act’ does not make it exempt from the California Public Records Act in and of itself,” Talla said. “The document you sent me can’t be characterized as criminal intelligence because there’s no articulation of any criminal activity associated with these activities, these protests, marches, demonstrations. Really, what is confidential about this document? There’s nothing.”
Days after the Floyd killing, someone in the FBI’s Los Angeles division noticed a tweet from the Long Beach Anarchist Collective that read, “see a blue lives matter flag, destroy a blue lives matter flag challenge”:
At the time, this tweet had four retweets and 26 likes. In response, the FBI analyst typed up a Situational Information Report describing the tweet, as well as the other tweet that it referenced, with the title, “Civil Unrest in Response to Death of George Floyd Threatens Law Enforcement Supporters’ Safety, as of May 2020.”
NCRIC got a copy of this document and forwarded it to its more than 14,000 subscribers. This is far from the only fearmongering memo from the federal government that NCRIC forwarded to thousands of local cops; DHS and FBI consistently fed local cops a diet of scary-protester anecdotes and internet rumors, potentially frightening them into believing their lives were in danger during protests and thus helping feed the often brutal and violent response to peaceful protests.
Another document from the multi-agency National Explosives Task Force that NCRIC distributed claimed “a variety of incendiary and explosive devices were used against civilian and law enforcement targets in civil unrest demonstrations” with photos of Molotov cocktails and fireworks. NCRIC also distributed an FBI Situation Report which described cherry-picked messages posted by unnamed social media users, including an Instagram user who allegedly posted about a “purge” planned for June 6, saying that “anyone stopped by police should follow the only rule, to kill law enforcement first, then continue destroying property.” Without any context, there’s no way of knowing how many followers this account had, or if it was run by an internet troll.
NCRIC also forwarded a series of “Intelligence Notes” from the Department of Homeland Security to its members:
NCRIC’s tracking of BLM protests sometimes interfered with work targeting actual criminal suspects. Shortly after 5 p.m. on May 29, an FBI analyst submitted a support request to the NCRIC website. “FBI San Francisco is concern [sic] about possible criminal activity; including mass causality attacks, vandalism and destruction of property, violence towards law enforcement and participants, and ideologically motivated attacks; near or about constitutionally protected activities in Oakland in response to the death of George Floyd in Minneapolis,” he wrote. He requested NCRIC provide [Real-Time and Open Source Analysis] “and appropriate analytic resources.”
On June 1, the day after NCRIC began distributing lists of protests, NCRIC sent a bulk email to its subscribers saying that it was “actively monitoring potential planned criminal acts, acts of violence, and civil unrest” and asking for help. “Please submit upcoming events or concerns related to planned events by logging into ncric.org, clicking on the ‘Request Support’ tab, and submitting a ‘Request for Investigative or Equipment Support.’”
The following day, NCRIC sent another bulk email announcing that an upcoming class would need to be postponed. “Due to operational needs necessitated by the protests in our [area of responsibility], the Chasing Phones class scheduled for June 3-4, 2020 has been rescheduled for June 17-18, 2020.”
According to a flyer, the Chasing Phones class “will explore the methods of exploiting a suspect’s cellular phone, phone company records, and third-party data sources records” and “will increase law enforcement officers’ awareness and appreciation of the evidence and intelligence located in a mobile device and provides students with the tools and training to prepare search warrants to legally obtain that evidence.” At the time the NCRIC data was exfiltrated, the class was scheduled to happen over Zoom, and 356 people had registered for it. But this training would have to wait; monitoring protests was higher priority.
Local police connected to NCRIC used the intelligence hub to repeatedly flag BLM-related protests, vigils, and cultural events as suspicious. On May 31, a sergeant in the San Mateo County Sheriff’s Office posted a Suspicious Activity Report, or SAR, requesting “intel if any is observed regarding violent civil/criminal unrest in the county of San Mateo, specifically the cities of Redwood City, San Mateo and East Palo Alto,” adding, “It is believed that protests will occur this coming week in these cities – want intel as to #’s of participants and any illegal activities being transpired.”
Later that same day, another officer from San Mateo Sheriff’s Office posted another SAR about a local protest. “Peninsula Progressive Action Group holding a vigil/protest for George Floyd,” he wrote, referring to a local Bay Area progressive citizens group. “Requesting NCRIC intelligence gathering/monitoring of social media, etc. Although the event is promoted as peaceful, similar events in the region devolved into violence. Unknown attendance at this point. Agitators are known to promote suburban targets next.”
The next day, PPAG posted to its website that the planned vigil in San Carlos was postponed over to safety concerns, citing “right-wing extremists groups that are using events, particularly evening events, as an excuse to instigate violence and cause damage.” Even though the vigil was canceled, “about 100 people” showed up anyway with masks and signs, according to a follow-up post.
On the night of June 2, 20-year-old San Jose hip-hop artist Simon Vertugo tweeted about an upcoming event called “The Black American Experience,” a “discussion on the Black experience and how we can take steps to prevent future civil injustice, police brutality and reform our judicial system,” to be held in a few days at the Olympic Black Power statue at San Jose State University.
After an officer with the university police department saw this tweet, he logged into NCRIC’s website and posted a SAR under the category “Radicalization/Extremism” with the event image from the tweet. “Possible meeting spot for protest activity at SJSU,” he wrote. “Has been seen on Twitter under the name @simonvertugo. Date is 6/6/20 at 1300 hours. Has been retweeted about 300 times. No data on possible attendance.”
Vertugo felt this was an example of police overreach. “Truthfully I think the university cops were completely overreacting to a speech being held on a college campus,” Vertugo told The Intercept. “Nobody was inciting any riots, no plans of breaking windows, destroying property. It was just a speech held by some Black kid and his peers. I think it’s a huge joke what they choose to focus on.” Nearly 300 people showed up at the speaking event.
Officers from San Benito County Sheriff’s Office and Novato Police Department also posted SARs of local protests they heard about. Local cops from across the region logged into NCRIC to request support related to upcoming protests in their cities, sometimes asking for social media monitoring. These police departments all posted support requests about Black Lives Matter protests to NCRIC:
A sergeant with the Oakland Police Department posted a support request asking for “analysts to monitor open source media to track crimes that are about to occur or have just occurred during the protest.” And an officer with the San Francisco Police Department posted an equipment request to NCRIC asking for surveillance cameras in “high volume locations.” “We have several more planned demo’s this week and these cameras would greatly enhance our situational awareness and public safety during these incidents,” she wrote.
Police were also paying close attention to any social media posts that mention looting, rioting, or violence against law enforcement. One SAR describes a Twitter user who tweeted, “Are we having a protest in Napa I low key wanna layout a cop.” Another describes a Twitter thread mentioning looting Target stores in Walnut Creek, Emeryville, and Bayfair. Another describes receiving a “threat via social media” threatening to loot stores at Sun Valley Mall in Concord. And another included a photograph of a phone displaying instructions for a “San Mateo County Looting Night” with a “hit list” of corporate chains.
On May 31, a paramedic at a gas station that rents U-Hauls in Napa said he “observed an estimated two dozen people dressed in black (hoodies, masks, shirts pants) in their twenties most white as far as he could tell, several of which were wearing masks,” with “another half dozen people wearing the same clothing” in the store, and he overheard them asking if they could rent vans for one day and leave them in San Francisco. He considered this suspicious behavior, so he called his off-duty friend in the fire department and said “they looked like a ‘ANTIF[A] or Black Bloc’ group.” His friend called the department’s Homeland Security operations officer, who posted this secondhand information as a SAR to NCRIC’s website.
And on June 2, a hardware store employee called the Novato Police Department to report that a woman “purchased all their helmets, hard hats, hammers, bolt cutters and goggles,” and that she mentioned the goggles were for tear gas. The Navato police officer posted this as a SAR, with a description of the woman and her vehicle.
The large majority of civil unrest-related suspicious activity reports during this period were about Black Lives Matter protests, but a few were about people who believe that Black lives don’t matter.
A middle-aged white man called a California Constituent Affairs employee on June 2 and described his plans to shoot and kill protesters, according to a June 3 SAR posted by an officer with the California Highway Patrol. “The subject said he will shoot and kill protesters he perceives as a threat,” the employee described. “He believes all protesters are thugs, and says this has nothing to do with race. The subject said he has multiple firearms, including an AK 47 and he has no problem blowing off their heads if they get near his house, start a fire, or begin looting in his city. He said he will take actions into his own hands because politicians are not doing anything about it. He added that all his friends and neighbors have guns and are not afraid to use them. The subject made it very clear that protesters are not welcomed in his neighborhood and threatened to kill protesters.”
In another instance, the FBI’s threat operations center found a tweet that said, “Everyone please be careful out there! I don’t know if this person is genuine or fucking with me but I’d rather be safe than sorry! Apparently his businesses were looted and he is now threatening to shoot protesters.” It included a screenshot of a direct message conversation in which the alleged San Francisco business owner wrote, “I will start shootings tomorrow,” and “Anyone from this bullshit [enters] my store I’m gonna [shoot] them.”
On June 3, an officer at West Valley-Mission Community College Police Department posted a SAR that included a video from Snapchat, writing, “Subject has been reported as to have made a video of himself on [Snapchat] wearing a KKK style hood and [making] a white power hand gesture with the slogan ‘Burn crosses not buildings’ likely in response to the ongoing riots related to the George Floyd protests.”
“For ‘Black out Tuesday’, a 16 year old female changed her social media profile picture to all blue, in support of law enforcement, instead of all black, in support of Black Lives Matter,” a detective with the Walnut Creek Police Department typed into a Cyber Security Assessment request to NCRIC on June 4. “The family has been receiving death threats/property threats on social media, by phone and text.” He requested that they “search/review social media to obtain potential threats to family, as well as the identities of persons making such threats.”
The attached documents — a Microsoft Word document and a series of emails between Walnut Creek police officers — show much more than changing her avatar to blue to support law enforcement. They include screenshots of the teenager’s TikTok videos where she wrote messages like, “Tbh the kkk should come back. Oh and I wanna move to Georgia bc they have segregated proms,” and “I don’t talk to niggers.”
On June 6, a lieutenant with the Moraga Police Department posted a similar request to NCRIC. “The Moraga Police Department became aware of a video clip circulating on social media that depicts 3 Campolindo High School female teenagers using racist and offensive language, including the N-word,” he wrote. “We are requesting open source internet checks and overall social media monitoring analysis for the presence of threats, especially threats of violence or retaliation to occur in the Town of Moraga.”
When asked if it’s their policy to provide proactive protection to racists, the Walnut Creek and Moraga Police Departments did not respond to a request for comment.
“Any time there’s a potential threat where they’ll harm somebody, or someone’s indicating that they’ll harm somebody, we do support local agencies with those types of requests,” Sena, NCRIC’s executive director, said. “And we can’t base our support based on what the person says, or their ideologies. We have to treat everyone in the public the same, and our goal is to protect lives.”
In addition to sending bulk emails to thousands of local police, NCRIC sometimes sends bulk emails to its list of over 3,700 industry partners.
One June 2 mailing included a prescient warning from the FBI’s Cyber Division: “Due to ongoing civil unrest, hacktivist groups are actively threatening and endorsing cyber attacks against law enforcement and state government networks,” the FBI wrote. “Groups such as ‘Anonymous’ are actively leveraging societal and political unrest to encourage global cyber action against law enforcement and government computer networks, outward facing web pages, and social media accounts.”
Four days after NCRIC sent this email, the BlueLeaks hacktivist — who identified with Anonymous — began exfiltrating data from NCRIC’s server.