Civic Intelligence eagle logo
Civic IntelligenceMake America Smart Again
Society · Drain the Swamp · DHS Surveillance · May 30, 2026

DHS Ousted Three Career Privacy Officers Who Said the New Orders Were Illegal.

On January 20, 2025, Roman Jankowski was sworn in as DHS Chief Privacy Officer — Heritage Foundation's Oversight Project senior counsel, Day One appointee. Within the year, his office had issued directives ordering career compliance staff to do three things federal lawyers say have no legal basis: mark all future Privacy Threshold Analyses FOIA-exempt, treat routine compliance forms as legally privileged, and relabel completed, signed compliance documents as “drafts” so they could not be released under the Freedom of Information Act.

Three career CBP privacy officers objected in writing. They said the orders were illegal. They were reassigned — not fired, because the civil service termination process is slow and documentable, and reassignment is faster and harder to challenge. The trigger for all of it was a single lawful FOIA release: a career officer had released a Privacy Threshold Analysis to 404 Media documenting that DHS's Mobile Fortify facial recognition app — used more than 100,000 times since launch, including at public protests — had been deployed without completing the Privacy Impact Assessment its own compliance document said was legally required.

That document was the only public record that Mobile Fortify existed. The new directives were designed to make sure no document like it ever reached the public again. That is the story — not a bureaucratic personnel dispute, but a systematic effort to hide a surveillance program that career officials inside DHS had already flagged as operating without its required legal foundation.

§ 01 / What Mobile Fortify Is — and What Was Never Filed

Mobile Fortify is a facial recognition app deployed by CBP and ICE. It runs queries against biometric databases — matching faces captured on agents' phones against enrolled records and watch lists. It has been used more than 100,000 times since launch, including, per NBC News, against individuals photographed at public protests who had no enforcement contact with immigration officers.

Under the E-Government Act of 2002 and the Privacy Act, any federal system that collects, uses, or disseminates personally identifiable information must complete two documents before going live: a Privacy Impact Assessment (PIA) and a System of Records Notice (SORN). Mobile Fortify completed neither. Its own internal Privacy Threshold Analysis — the first-stage compliance document that triggers the PIA requirement — said a full PIA was legally required. That PIA was never completed. The app was deployed anyway.

The existence of Mobile Fortify was unknown to the public until a career FOIA officer lawfully released that PTA — the internal document acknowledging the missing compliance work — to 404 Media. That release was the correct and legal response to a valid FOIA request. It was also the event that triggered Jankowski's December 2025 directives.

ICE and CBP deployed the Mobile Fortify facial recognition app more than 100,000 times since launch — including at public protests — without completing the Privacy Impact Assessment their own Privacy Threshold Analysis said was legally required.

This policy change is illegal. There is nothing in the FOIA statute — or any other statute — that allows the agency to categorically withhold Privacy Threshold Analyses.

Attorney Ginger Quintero-McCall — WIRED reporting / EPIC mirror
§ 02 / The Three Orders — and Why Lawyers Say They Have No Legal Basis

Jankowski's December 2025 directives required three things. The first: all future Privacy Threshold Analyses were to be marked FOIA-exempt from the moment of creation. FOIA exemptions are defined by statute — 5 U.S.C. § 552 lists nine of them. None of them permits a blanket agency declaration that an entire category of compliance documents is exempt from disclosure. The directive had no legal citation because no applicable legal citation exists.

The second: routine compliance forms — the bureaucratic paperwork that documents an agency's adherence to its own privacy policies — were to be treated as legally privileged. Attorney-client privilege and deliberative-process privilege are the two FOIA exemptions most commonly invoked for agency documents. Neither covers routine compliance forms that are not legal advice and do not reflect pre-decisional agency deliberation in any sense recognized by case law.

The third is the one that crosses from aggressive legal interpretation into something records management lawyers call records falsification: completed, signed compliance documents — forms that had gone through the compliance workflow and bore the signatures of the officials who approved them — were to be relabeled as “drafts.” Draft documents are routinely withheld under the deliberative-process exemption. A completed signed document is, by definition, not a draft. Relabeling it as one is not a legal interpretation — it is altering a federal record.

The Three Directives — What Was Ordered and Why Lawyers Said No

1. Categorical FOIA exemption for all Privacy Threshold Analyses. No legal basis in 5 U.S.C. § 552 or any other statute. PTAs are compliance documents, not deliberative pre-decisional materials. The directive had no legal citation.

2. Routine compliance forms treated as legally privileged. Attorney-client and deliberative-process privilege do not cover routine compliance paperwork. No applicable case law supports the categorical designation. Same problem: no legal citation.

3. Completed, signed compliance documents relabeled as “drafts.” This is not a FOIA interpretation. This is altering an existing federal record. The documents had been completed, approved, and signed. Relabeling them “draft” after the fact to trigger a withholding exemption is what privacy attorneys quoted by Wired described as the most legally indefensible of the three directives.

The trigger event: A career CBP FOIA officer had lawfully released a Mobile Fortify Privacy Threshold Analysis to 404 Media. That release exposed, for the first time publicly, that Mobile Fortify had been deployed at scale without completing its required Privacy Impact Assessment. The December 2025 directives were issued within weeks of that release.

Roman Jankowski, who came from the Heritage Foundation's Oversight Project, was sworn in as DHS Chief Privacy Officer on January 20, 2025. Within months, his office issued directives to relabel completed compliance documents as “drafts” to prevent FOIA disclosure.

X
DHS Privacy Office
@dhs_priv · January 20, 2025

On January 20th, 2025, Roman Jankowski was officially sworn in as the Chief Privacy Officer and Chief FOIA Officer. We look forward to the leadership and expertise he will bring to these critical roles.

Keep Reading
The FBI Tried to Thwart the Biden Family Corruption Probe. Here Is What They Actually Did.
Society · Drain the Swamp · FBI · DOJ · Biden Family · Operation Round River
The FBI Tried to Thwart the Biden Family Corruption Probe. Here Is What They Actually Did.
Read →
§ 03 / The Reassignments — How Retaliation Works When You Can't Fire

Three career CBP privacy officers objected in writing to the directives. They were not fired. Federal civil-service employment protections make terminating a career officer for raising a legal objection procedurally slow, documentable in a Merit Systems Protection Board record, and frequently reversed on appeal. Reassignment — moving an officer to a different position, often one with diminished responsibilities, access, and influence — is the standard workaround.

Reassignment is harder to challenge because it does not technically end employment, does not trigger the formal adverse-action procedures that protect against retaliatory termination, and in the short term removes the objecting officer from the unit — which is the immediate operational goal. The GAO investigation requested by Rep. Bennie Thompson and Sen. Gary Peters is specifically examining whether these reassignments constitute whistleblower retaliation under the Whistleblower Protection Act and DHS-specific whistleblower statutes.

The same pattern appeared across two agencies in the same month. DOJ Civil Rights Division Chief FOIA Officer Kilian Kagle resigned in April 2026 rather than comply with orders to share voter-roll data with DHS. Where the CBP officers were reassigned, Kagle resigned — but the mechanics were identical: legal objection, agency pressure, removal of the objector.

§ 04 / Congressional Response and the IG Audit

Senators Mark Warner (D-VA) and Tim Kaine (D-VA)wrote DHS on January 29, 2026 demanding a full audit of the department's surveillance technology use. The letter named Mobile Fortify explicitly, cited the absence of a completed Privacy Impact Assessment and System of Records Notice, and demanded a response within 30 days.

One week later — February 6, 2026 — DHS Inspector General Joseph Cuffari announced a formal audit of DHS biometric data collection and use. The audit scope covers Mobile Fortify specifically and the completeness of required privacy compliance documentation across DHS biometric programs.

Separately, Rep. Dan Goldman (D-NY), Sen. Ron Wyden (D-OR), and Rep. Nydia Velázquez (D-NY) demanded answers on ICE's use of Palantir-developed technologies used in coordination with Mobile Fortify deployments. Former DHS Secretary Kristi Noem (R) — fired by Trump on March 5, 2026 — held her position during the period when both the Mobile Fortify deployments and the Jankowski directives were issued.

§ 05 / On Camera

NBC News reported the use of Mobile Fortify at protest locations. The footage below is the most detailed public documentation of how the app is used in the field — and why the absence of a Privacy Impact Assessment matters for anyone who has attended a demonstration, rally, or public gathering within range of an ICE or CBP agent.

§ 06 / Named Officials
The Officials in This Story — With Title and Affiliation

Roman Jankowski— DHS Chief Privacy Officer and Chief FOIA Officer. Sworn in January 20, 2025. Prior position: Senior Counsel, Heritage Foundation's Oversight Project. Issued the December 2025 directives that triggered the officer reassignments.

Kristi Noem (R) — Former DHS Secretary. Fired by Trump on March 5, 2026. Held the position during both the Mobile Fortify deployments and the Jankowski directives. Has not addressed either publicly.

Joseph Cuffari — DHS Inspector General. Launched the formal biometric-surveillance audit on February 6, 2026 following the Warner-Kaine letter.

Kilian Kagle — DOJ Civil Rights Division Chief FOIA Officer. Resigned April 2026 rather than comply with orders to share voter-roll data with DHS. Same pattern, different agency: legal objection followed by removal.

Sen. Mark Warner (D-VA) and Sen. Tim Kaine (D-VA) — Wrote the January 29, 2026 letter demanding a DHS surveillance technology audit; their letter directly preceded the IG audit launch.

Rep. Bennie Thompson (D-MS) (House Homeland Security Ranking Member) and Sen. Gary Peters (D-MI) (Senate Homeland Security Ranking Member) — Requested the GAO investigation into DHS whistleblower retaliation.

X
Ginger Quintero-McCall
@gingerqmccall · December 2025· paraphrase

This policy change is illegal. There is nothing in the FOIA statute — or any other statute — that allows the agency to categorically withhold Privacy Threshold Analyses.

Donald J. Trump@realDonaldTrump · Recurring Truth Social theme · Immigration enforcement cycle · 2025–2026

ICE and CBP are doing a fantastic job protecting our border and our country. The fake news media doesn't want you to know it, but our law enforcement officers are using every available tool to keep criminals and illegal aliens out. We will NEVER apologize for keeping Americans safe. That is what we were elected to do!

Paraphrased commentary · not a verbatim post

Paraphrased composite of Trump's recurring immigration-enforcement Truth Social posts. Trump has not specifically addressed the Mobile Fortify PIA compliance gap or the privacy officer reassignments. The broader enforcement posture is documented via the @realDonaldTrump feed.

Three CBP privacy officers were reassigned after objecting to what they characterized as orders to falsify government records. The reassignment — rather than termination — is the standard civil service retaliation workaround that is harder to challenge legally.

More From Civic Intelligence
The FBI Tried to Thwart the Biden Family Corruption Probe. Here Is What They Actually Did.
Society · Drain the Swamp · FBI · DOJ · Biden Family · Operation Round River
The FBI Tried to Thwart the Biden Family Corruption Probe. Here Is What They Actually Did.

The FBI authenticated Hunter Biden's laptop in late 2019 — then spent more than a year conditioning…

An Illegal Alien From Guyana Became Iowa's Largest School District Superintendent. He Got 2 Years in Federal Prison.
Society · Drain the Swamp · Iowa · Immigration · Des Moines Schools
An Illegal Alien From Guyana Became Iowa's Largest School District Superintendent. He Got 2 Years in Federal Prison.

Ian Andre Roberts, 54, born Guyana, entered U.S. 1994 on a B-2 tourist visa and never obtained legal…

§ 07 / Sources