The Ghost in the Machine: How Sensitive Chicago Data Vanished into DHS Laps
In the quiet corners of federal intelligence, a story unfolded that reads like a cautionary tale of unchecked ambition and systemic oversight failure. For months, the Department of Homeland Security (DHS) held onto sensitive data from the Chicago Police Department, a trove of information on nearly 900 residents accused of gang affiliations. This wasn’t a data breach in the traditional sense, but rather a profound lapse in governance, a test gone awry that exposed deep-seated issues in how intelligence is collected, managed, and, crucially, deleted.
A Test Run Gone Wrong: The Genesis of the Data Mishap
The incident, which came to light through Freedom of Information Act (FOIA) requests, began with a seemingly straightforward proposal in the summer of 2021. A field intelligence officer within DHS’s Office of Intelligence & Analysis (I&A) sought to explore a critical question: could local law enforcement data effectively feed federal watchlists? The target: identifying suspected undocumented gang members at airports and border crossings.
However, the data itself was far from pristine. Even before DHS’s involvement, Chicago’s gang data had a reputation for being a chaotic collection of inaccuracies. City inspectors had flagged it years prior, pointing out contradictions so egregious they defied logic. Records listed individuals purportedly born before 1901, or conversely, infants. Some entries lacked any specific gang affiliation, leaving individuals in a nebulous state of suspicion. The data was also marred by a disturbing lack of professionalism, with police officers resorting to derogatory labels for individuals’ occupations, such as “SCUM BAG,” “TURD,” or simply “BLACK.” The threshold for inclusion was alarmingly low, requiring neither arrest nor conviction, a stark departure from fundamental principles of justice.
The Data’s Reach: Beyond Gangs, Into Immigrant Lives
This problematic data wasn’t confined to internal police investigations. Prosecutors and law enforcement relied on these designations in court filings, during bail hearings, and even in sentencing. For immigrants in Chicago, the implications were particularly dire. Despite the city’s sanctuary policies, which generally restricted data sharing with immigration authorities, a carve-out for "known gang members" created a loophole. Over a decade, immigration officers had accessed this database over 32,000 times, a number that underscores the significant, and often unscrutinized, impact of these designations.
A Cascade of Errors: The Unraveling of Oversight
The DHS I&A memos, initially uncovered by the Brennan Center for Justice at NYU, paint a picture of a project that spiraled out of control due to a series of procedural missteps and a breakdown in accountability. What started as a targeted data-sharing experiment soon devolved into a cascade of oversight failures.
The request for Chicago’s gang data navigated through multiple layers of review within DHS, but crucially, no single entity seemed to assume clear ownership or ensure that legal safeguards were strictly adhered to. By the time the data landed on I&A’s servers around April 2022, the officer who had initiated the request had already moved on. The experiment, in essence, imploded under its own bureaucratic weight.
Critical steps were missed. Signatures were absent from essential documents, required audits were never filed, and the mandated deletion deadline – a vital safeguard against the prolonged retention of sensitive information – simply slipped by unnoticed. The very guardrails designed to keep intelligence operations focused on external threats, rather than on American citizens and residents, had failed.
The Delayed Deletion: A Breach of Trust and Policy
The full gravity of the situation only became apparent in November 2023, when DHS finally deleted the dataset. This wasn’t a proactive cleanup but a reactive measure after the lapse was discovered. A subsequent inquiry revealed that the data had remained on federal servers for a staggering seven months past its deletion deadline, in direct violation of an intelligence oversight body’s order.
The investigation found that nearly 800 files had been retained, a breach of rules explicitly designed to prevent domestic intelligence operations from targeting legal US residents. This episode highlighted a troubling pattern: federal intelligence officers could potentially sidestep local sanctuary laws by accessing and repackaging data that cities were reluctant to share directly with agencies like Immigration and Customs Enforcement (ICE).
Spencer Reynolds, a senior counsel at the Brennan Center, articulated this concern clearly: “This intelligence office is a workaround to so-called sanctuary protections that limit cities like Chicago from direct cooperation with ICE. Federal intelligence officers can access the data, package it up, and then hand it off to immigration enforcement, evading important policies to protect residents.”
The Broader Ambition: AI, Watchlists, and the Erosion of Privacy
The incident at I&A, while seemingly isolated, occurs against a backdrop of escalating federal ambitions. DHS’s budget is projected to surge, and the agency is actively pursuing technologies to integrate sensitive data across previously siloed systems. An executive order from March 2025, for example, encouraged federal departments to “eliminate information silos across the government.” Simultaneously, DHS’s own AI initiatives promise to meld public and commercial data into powerful tools for enforcement and surveillance.
These ambitions are deeply intertwined with the federal watch-listing apparatus, a system that screens travelers at airports, borders, and visa desks. A cornerstone of this apparatus is the Terrorist Screening Dataset (TSD), managed by the FBI. Complementing the TSD is the Transnational Organized Crime Actor Detection Program (TADP), a companion list aimed at identifying cartel and gang actors. Critically, the TADP’s charter explicitly prohibits the inclusion of US citizens or lawful permanent residents.
While I&A’s guidelines permit the temporary retention of such data, it’s strictly for the purpose of determining foreign intelligence value. However, Reynolds warns that the scope of these watch-listing activities is expanding. "Thanks to how the government characterizes people with some connection to a cartel as ‘terrorists,’ it could impact the lives of millions more people in this country,” he stated. “This can potentially justify federal targeting of family members, churches, food banks, and others who support immigrants.”
The Latin Kings and the Spark of the Request
The specific chain of events leading to the Chicago data request was ignited by an FBI decision in June 2021 to expand the TADP to include the Latin Kings, a prominent street gang originating in Chicago. While the group’s name was redacted in most of the documents reviewed by WIRED, its inclusion on the TADP list has not been previously reported. This expansion, according to I&A field officers, spurred the request for a complete extract of Chicago’s gang records the following month, with the stated aim to “fully exploit the list.”
Because bulk data transfers automatically trigger internal privacy reviews, the request was routed to DHS’s Data Access Review Council (DARC). This oversight body spent over six months deliberating on the officer’s proposal to ingest the Chicago data.
Staffing Gaps and Oversight Lapses: A Perfect Storm
In January 2022, before the DARC’s review was officially concluded, the officer who initiated the project departed their post. This created a significant “staffing gap,” as their replacement wouldn’t arrive for another eight months. Despite this critical personnel shortage, the DARC team finalized a set of terms and conditions for the data transfer. These included a mandate to delete all US-person data within a year and to submit a six-month progress report for leadership review. Alarmingly, neither of these stipulations was met.
The Chicago PD extract, according to I&A’s own terms, contained a wealth of sensitive information: names, addresses, birth dates, alleged gang affiliations and factions, along with demographic data like sex and race.
An I&A oversight officer later noted, “What is striking about the factual record during the spring of 2022 is the complete lack of awareness on the part of any I&A senior leader that the terms and conditions were even under consideration.” Policy dictated that the agreement be signed by the undersecretary for intelligence and analysis or a designated surrogate. Instead, on April 18, 2022, the chief information officer signed off, a deviation whose reasons remain “unclear.”
Chicago’s Own Mess: The Flawed Foundation
Compounding the federal failures was the state of Chicago’s own data management. An independent audit years prior had already revealed that the city didn’t maintain a single “gang database,” but rather at least 18 different systems and locations housing this information. The audit found that the police department “could not definitively account for all such information in its possession and control.”
Over a decade, more than 500 external agencies had queried these systems over a million times. The audit documented a pattern of recurring failures: impossible birthdates, missing identifiers, and outright slurs. Inspectors pointed to Chicago PD’s lack of data controls as a prime example of how such dossiers could be used to “demean and dehumanize members of the public.”
The audit also found a significant lack of due process. There was no clear process for individuals to be notified about their inclusion in the database or to appeal their designation. Furthermore, there was no routine purging of records for individuals who had left gangs or hadn’t had any police contact for years. The report starkly noted that 95% of those labeled were Black or Latino.
Reform Efforts: Stalled and Ineffective
In response to public pressure, Chicago police proposed reforms aimed at creating a more transparent and accountable system. These included published criteria for inclusion, an appeals process, and a rule to remove individuals after five years without new qualifying offenses. The plan also promised regular audits, enhanced officer training, and limitations on data sharing.
However, the implementation of these reforms proved to be a slow and arduous process. Four months before DHS submitted its data request, the city’s inspector general reported that Chicago PD had made “minimal progress” toward implementing the promised changes. Two years later, the department still lacked a clear timeline, a uniform policy, and continued to rely on outdated data. While they broadened the criteria for adding individuals to the system, these changes were never publicly disclosed, leaving outdated policies accessible online. The watchdog concluded that the department had “critically short” of meeting its commitments.
Chicago PD did not respond to requests for comment regarding this project or their current use of gang data.
The Long Shadow of Data Retention: A Continued Threat
Back at DHS, the window for evaluating the Chicago data closed in April 2023, as officials failed to request an extension. It took months for oversight staff to notice the lapse. A preliminary inquiry revealed that I&A had retained at least 797 “documents” in violation of their own regulations against collecting or keeping domestic intelligence. The initial plan had been narrow: review local police intelligence, focusing on non-citizens, and delete the rest on schedule. The subsequent events, however, point to a complete failure in compliance.
In August 2023, a Chicago city commission voted to reject the police department’s proposed replacement database. Then, just three months later, and a mere two weeks after the database was officially scrapped by the city, I&A deleted the Chicago dataset.
In February 2024, DHS’s then undersecretary for I&A, Kenneth Wainstein, approved mitigation measures, including mandatory staff training and other procedures to ensure that bulk transfers would require his office’s explicit sign-off.
DHS declined to comment on the specifics of the incident or detail the corrective actions taken. A spokesperson stated the agency “abides by strict standards for data keeping and record maintenance” and that “all records are handled in accordance with existing law and regulation.”
A Systemic Weakness: GAO and the Persistent Oversight Deficit
However, a report from the Government Accountability Office (GAO) in July reached a different conclusion. The GAO found that I&A continues to lack fundamental controls necessary for tracking how intelligence is gathered and utilized. The office had only produced its first consolidated intelligence budget in 2025, a full 12 years after it became a legal requirement. Adding to these concerns, a separate WIRED report in September detailed how a misconfiguration in the Homeland Security Information Network’s intelligence portal had exposed hundreds of I&A reports to thousands of unauthorized users.
“Robust oversight has long taken a backseat at the department,” lamented Reynolds, highlighting the recent dismantling of DHS’s civil rights and civil liberties office. “Would an oversight inquiry like this even happen now? Probably not.”
Analysts from various DHS offices have informed congressional auditors that completed intelligence reports are often circulated without adequate review and sometimes contain factual errors. At the time of the audit, the agency’s internal list of offices conducting intelligence work had not been updated in nine years, a situation that almost guarantees fragmented policy and compliance.
As has been the case in previous reviews, DHS has pledged to implement new procedures and has set deadlines that extend into the new year. While Chicago’s flawed gang database is gone, Illinois still maintains its own statewide gang file through the Law Enforcement Agencies Data System (LEADS). Records indicate that DHS’s Enforcement and Removal Operations directorate signed a new LEADS data-sharing agreement last year. Chicago police did not respond to questions about their role, if any, in this statewide system.
This incident serves as a stark reminder of the ongoing challenges in balancing national security imperatives with the fundamental right to privacy, especially in an era of rapidly advancing data science and AI-driven surveillance.