Why the U.S. Security-Clearance Process Has a Digital Blind Spot

In Nov. 2020, Jack Teixeira wrote a letter to the local police chief asking him to reconsider allowing him to own guns. The Dighton, Mass., police had denied the 18-year-old’s two previous requests for a firearms license, citing an incident when Texeira, as a high-school sophomore, was suspended for alleged violent and racial threats, including comments about guns at school.

This time, Teixeira’s pleas worked. As a newly minted member of the Massachusetts Air National Guard, he had recently received a top-secret security clearance. “The investigation process was extremely thorough,” he wrote to the police chief, arguing that the U.S. government had deemed him qualified to become “a person with a military career in intelligence and a person that now has the national trust to safeguard classified information.”

That trust turned out to be misplaced. Last month, Teixeira was arrested and charged with posting classified military documents online in the most damaging leak of U.S. intelligence in a decade, revealing sensitive information about the war in Ukraine and complicating relations with U.S. allies. Federal investigators also found that he had continued to regularly post “about violence and murder” in online forums, researched mass shootings, amassed an “arsenal” of weapons in his home, and asked for advice on how to turn an SUV into an “assassination van.”

These revelations have raised new questions about the U.S. government’s security-clearance process tasked with vetting those entrusted with the nation’s most sensitive secrets. For decades, the system has made judgments about who to grant clearances based on the “whole person concept,” considering the “totality” of the person’s conduct and any mitigating circumstances in order to figure out whether they pose an acceptable level of risk and can be deemed trustworthy. The probe scrutinizes many aspects of their personal and professional lives, from their relationships with their families and interactions with foreigners to their finances, mental health, sexual behavior, psychological state, past handling of protected information, and drug and alcohol use.

More from TIME

But there is a key aspect of applicants’ lives that remains largely off-limits in that screening process: their behavior online. Unlike their offline interactions, an applicant’s digital life—from social-media posts to online groups and relationships—is not typically scrutinized, and is very rarely investigated unless there is a specific reason to do so, according to national-security legal experts and U.S. officials.

Read More: Alleged Pentagon Leaker Posted Chilling Messages About ‘Violence and Murder’

Dozens of cases in recent years have exposed the double lives led online by people who underwent rigorous screenings to be granted high-level clearances. The lack of scrutiny given to an applicant’s digital conduct is particularly troubling as a new generation of military service members, intelligence officers, government officials, and contractors come of age online. “Our physical and digital lives are merging,” says Marek Posard, a military sociologist at the RAND Corporation who co-authored a 2021 study on updating the security-clearance process for future generations. The study recommended adding “personal digital conduct” as a criteria. “If the government does, in fact, want to assess risk using the whole-person concept, we need to recognize that people’s lives exist online.”

The challenge is that following the digital trails of millions of applicants would raise a host of privacy and First Amendment issues and perhaps overwhelm an already balky process. Lawmakers have pushed for reforms to the vetting guidelines in recent years after a series of high-profile incidents where Americans with secret-level clearances were found to be sharing sensitive information or involved with violent, extremist and anti-government groups online. “The security vetting procedures are approaching a crossroads given the widespread use of social media and its existence as an untapped source of information for investigators,” says Brad Moss, a lawyer who specializes in national security and security clearance law. “Putting aside political and legal implications of such an approach, there is a non-trivial argument that the immense amount of data would simply overwhelm an already slow investigative process and delay clearance adjudications even more.”

The debate comes as the U.S. government undertakes a multibillion-dollar overhaul of the security clearance system in an effort to modernize and automate parts of the background-check process. Even when that is completed, experts say, it will still be significantly outdated for future generations unless it includes some level of vetting of their online activities.

The role that social media or online activities should play in vetting people for high-level security clearances has been an ongoing debate for two decades. Security-clearance criteria has been periodically updated to keep up with the times. (Guidance from the 1960s, for example, listed cohabitation and homosexuality as risk factors.) But besides privacy concerns, officials have long been stuck on the question of whether delving into applicants’ social media lives would be worth the time and resources needed to vet the information, establish its authenticity, and figure out the risk factor.

“It’s not collecting it, it’s not finding it, it’s then doing the analysis,” Merton Miller, the Associate Director for the Federal Investigative Services, told congressional investigators in 2014. Miller was interviewed as part of a probe into the flaws in the federal security-clearance process, opened after military contractor and former Navy reservist Aaron Alexis killed 12 people in Washington, D.C.’s Navy Yard and contractor Edward Snowden leaked thousands of documents about U.S. government surveillance practices.

“The Investigator’s Handbook is antiquated,” Miller said, noting that while there was “a great deal of dialogue” about creating a policy to include social-media information to vet applicants, the guidelines still strictly prohibited using the Internet to obtain information on them and they weren’t asked to self-report their social media profiles. “I think most people would say it’s a no-brainer.” In their subsequent report, the House Oversight Committee concluded that “Congress should force [the Office of Personnel Management’s] investigative practices into the twenty-first century by allowing investigators to use the internet and social media sources in particular for the first time” to access the “treasure trove” of valuable information.

A decade later, updates to the security criteria for individuals eligible to access classified information have mentioned social-media monitoring but put few concrete practices into effect. In 2016, then-Director of National Intelligence James Clapper authorized, but did not require, the use of social media in security clearance background investigations. Three years later, the Defense Department ran pilot programs to monitor current clearance holders’ online activities and flag unusual behaviors. It’s still unclear if or when these could become implemented permanently.

Meanwhile, the overall clearance process is in the midst of a major overhaul. Instead of requiring a re-investigation every five years, it is moving to a semi-automated “continuous vetting” program which checks people’s records against commercial and government data—including criminal and terrorism ties, suspicious financial activity, and foreign travel—and flags potential risks. “It has the potential to make the process much more efficient and effective,” says Alissa Czyz, the Director of the U.S. Government Accountability Office’s Defense Capabilities and Management team.

Read More: The Strange Saga of Jack Teixeira Reveals New Security Challenges.

Yet the online lives of applicants—including the 1.3 million with top-secret clearances —remain largely off-limits. The Defense Counterintelligence and Security Agency (DCSA), which conducts the vast majority of background checks on people like Teixeira, is not conducting social-media monitoring of all cleared individuals, a spokesman told TIME. “As a part of overall personnel vetting reforms we are assessing options to integrate publicly available social media information searches into personnel vetting, particularly during military accessions, while keeping individuals’ privacy and civil liberties in mind,” DCSA spokesman Royal Reff said.

Proponents of adding social media screening to security-clearance checks have pointed to a growing number of recent examples where this information would have provided crucial context. In more than a dozen recent high-profile cases reviewed by TIME, individuals with high-level security clearances left clear and often brazen trails online showing links to extremist groups, posted violent propaganda, plotted anti-government activities, and shared sensitive U.S. information to which they had been granted access.

Several of the participants in the Jan. 6, 2021 attack on the U.S. Capitol were found to be holding jobs that required security clearances, despite posting on forums dedicated to violent anti-government conspiracies and participating in the plot to block the certification of the presidential election. One New Jersey Army reservist present on Jan. 6 was found to hold a secret-level security clearance despite being an “avowed white supremacist and Nazi sympathizer who posts video opinion statements on YouTube” and elsewhere, a source told the FBI, according to an affidavit.

Similarly, a Virginia man who participated in the white-supremacist “Unite the Right” rally in Charlottesville in 2017 was found to be a State Department employee who had twice been screened for and received a top-secret security clearance despite being involved with white-nationalist organizations and publishing racist propaganda online. Last year, an investigation into a 21-year-old Army soldier who had been discharged for misconduct found that he had received a secret security clearance despite spending time in extremist forums trafficking in violent fantasies, and had bragged on Instagram that he had joined the military to practice killing black people. In March, 24-year-old former U.S. Army private Ethan Melzer was sentenced to 45 years in prison for attempting to murder U.S. service members, providing material support to terrorists, and illegally transmitting national defense information. Melzer, who had received a top-secret clearance, had a double life online as a member of a neo-Nazi pro-jihadist cult and regularly browsed Islamic State propaganda. He shared sensitive details of his own U.S. Army unit deployed abroad with the group, planning a “jihadist attack” that was foiled, according to prosecutors.

Read More: Teixeira’s Intel Unit Ordered to Halt Mission After Discord Leaks.

These cases have led lawmakers to urge U.S. agencies to adopt new guidelines. “The domestic terror landscape has shifted dramatically to the online ecosystem where white supremacists, Neo-Nazis, and far-right extremists are free to organize and share their violent ideology with little oversight or accountability,” U.S. Democratic Reps. Jennifer Wexton of Virginia and and Jackie Speier of California wrote Director of National Intelligence Avril Haines in Feb. 2021. “We are concerned that the current background investigatory process does not adequately screen for these activities.”

One clear starting point, experts say, could be to add a question about online activities to security clearance applications. “I have been asking [officials] ‘When are you finally going to start asking about online user names and profiles on the SF-86?’” says Mark Zaid, an attorney who practices national security law, referring to the main form applicants fill out.

The 2021 RAND report commissioned by the Defense Department similarly recommended adding a “digital personal conduct” category that could expose information that reveals new risk factors, including “illicit online activities, forging close and personal ties with foreign nationals, and trading risky financial assets like cryptocurrencies.”

Whether that would solve the problem is another matter. It’s difficult to imagine the clearance process keeping up with the proliferation of alternate online platforms where tomorrow’s applicants are spending their time. Take Discord, the online chat platform used by Teixeira to post classified documents, and which would have been unlikely to surface in a background check even if there were basic scans of social media. Its multitude of servers makes it “complex and time-consuming to get the full picture of what’s going on,” and the use of voice chat by groups like Teixeira’s would make it unrealistically time-consuming to monitor, says Elise Thomas, a senior analyst at the Institute for Strategic Dialogue, a U.K.-based think tank who authored a report on the platform. “Short of someone sitting there all day listening in, which would be a huge drain on resources, potentially a privacy and civil liberties concern, and a waste of time 99.99% of the time.”

Others maintain that expanding the criteria to include online conduct would do more harm than good. “Efforts to require what might amount to digital strip-searches of every service member in exchange for clearance would violate the definition of unreasonable search and the nature of our system of trust,” Tobias Naegele, the editor-in-chief of Air & Space Forces Magazine, wrote in an editorial. “One of the prices of freedom is risk.”

Posard, the military sociologist at RAND, says attempts to scan online activities “would have to be really disciplined and focused for privacy reasons, but also because they don’t want false positives.” With almost 50% of active duty U.S. service members under the age of 25, it could make the seriousness of online content difficult to define and cause the U.S. to lose out on qualified applicants at a time when the military is struggling to recruit.

“We don’t want somebody just kind of meandering through Discord undisciplined,” says Posard. “But there needs to be a sustained effort to understand what trends and patterns are occurring, and what platforms are kind of emerging on the forefront where there could be new risks.”—With reporting by W.J. Hennigan