Department of Homeland Security

us-cyber-defense-chief-accidentally-uploaded-secret-government-info-to-chatgpt

US cyber defense chief accidentally uploaded secret government info to ChatGPT

AI, chatgpt, CISA, cybersecurity and infrastructure security agency, Department of Homeland Security, DHS, ice, openai, Policy / /

Cybersecurity “nightmare”

Congress recently grilled the acting chief on mass layoffs and a failed polygraph.

Alarming critics, the acting director of the Cybersecurity and Infrastructure Security Agency (CISA), Madhu Gottumukkala, accidentally uploaded sensitive information to a public version of ChatGPT last summer, Politico reported.

According to “four Department of Homeland Security officials with knowledge of the incident,” Gottumukkala’s uploads of sensitive CISA contracting documents triggered multiple internal cybersecurity warnings designed to “stop the theft or unintentional disclosure of government material from federal networks.”

Gottumukkala’s uploads happened soon after he joined the agency and sought special permission to use OpenAI’s popular chatbot, which most DHS staffers are blocked from accessing, DHS confirmed to Ars. Instead, DHS staffers use approved AI-powered tools, like the agency’s DHSChat, which “are configured to prevent queries or documents input into them from leaving federal networks,” Politico reported.

It remains unclear why Gottumukkala needed to use ChatGPT. One official told Politico that, to staffers, it seemed like Gottumukkala “forced CISA’s hand into making them give him ChatGPT, and then he abused it.”

The information Gottumukkala reportedly leaked was not confidential but marked “for official use only.” That designation, a DHS document explained, is “used within DHS to identify unclassified information of a sensitive nature” that, if shared without authorization, “could adversely impact a person’s privacy or welfare” or impede how federal and other programs “essential to the national interest” operate.

There’s now a concern that the sensitive information could be used to answer prompts from any of ChatGPT’s 700 million active users.

OpenAI did not respond to Ars’ request to comment, but Cyber News reported that experts have warned “that using public AI tools poses real risks because uploaded data can be retained, breached, or used to inform responses to other users.”

Sources told Politico that DHS investigated the incident for potentially harming government security—which could result in administrative or disciplinary actions, DHS officials told Politico. Possible consequences could range from a formal warning or mandatory retraining to “suspension or revocation of a security clearance,” officials said.

However, CISA’s director of public affairs, Marci McCarthy, declined Ars’ request to confirm if that probe, launched in August, has concluded or remains ongoing. Instead, she seemed to emphasize that Gottumukkala’s access to ChatGPT was only temporary, while suggesting that the ChatGPT use aligned with Donald Trump’s order to deploy AI across government.

“Acting Director Dr. Madhu Gottumukkala was granted permission to use ChatGPT with DHS controls in place,” McCarthy said. “This use was short-term and limited. CISA is unwavering in its commitment to harnessing AI and other cutting-edge technologies to drive government modernization and deliver” on Trump’s order.

Scrutiny of cyber defense chief remains

Gottumukkala has not had a smooth run as acting director of the top US cyber defense agency after Trump’s pick to helm the agency, Sean Plankey, was blocked by Sen. Rick Scott (R-Fla.) “over a Coast Guard shipbuilding contract,” Politico noted.

DHS Secretary Kristi Noem chose Gottumukkala to fill in after he previously served as her chief information officer, overseeing statewide cybersecurity initiatives in South Dakota. CISA celebrated his appointment with a press release boasting that he had more than 24 years of experience in information technology and a “deep understanding of both the complexities and practical realities of infrastructure security.”

However, critics “on both sides of the aisle” have questioned whether Gottumukkala knows what he’s doing at CISA, Cyberscoop reported. That includes staffers who stayed on and staffers who prematurely left the agency due to uncertainty over its future, Politico reported.

At least 65 staffers have been curiously reassigned to other parts of DHS, Cyberscoop reported, inciting Democrats’ fears that CISA staffers are possibly being pushed over to Immigration and Customs Enforcement (ICE).

The same fate almost befell Robert Costello, CISA’s chief information officer, who was reportedly involved with meetings last August probing Gottumukkala’s improper ChatGPT use and “the proper handling of for official use only material,” Politico reported.

Earlier this month, staffers alleged that Gottumukkala took steps to remove Costello from his CIO position, which he has held for the past four years. But that plan was blocked after “other political appointees at the department objected,” Politico reported. Until others intervened to permanently thwart the reassignment, Costello was supposedly given “roughly one week” to decide if he would take another position within DHS or resign, sources told Politico.

Gottumukkala has denied that he sought to reassign Costello over a personal spat that Politico’s sources said sprang from “friction because Costello frequently pushed back against Gottumukkala on policy matters.” He insisted that “senior personnel decisions are made at the highest levels at the Department of Homeland Security’s Headquarters and are not made in a vacuum, independently by one individual, or on a whim.”

The reported move looked particularly shady, though, because Costello “is seen as one of the agency’s top remaining technical talents,” Politico reported.

Congress questioned ongoing cybersecurity threats

This month, Congress grilled Gottumukkala about mass layoffs last year that shrank CISA from about 3,400 staffers to 2,400. The steep cuts seemed to threaten national security and election integrity, lawmakers warned, and potentially have left the agency unprepared for any potential conflicts with China.

At a hearing held by the House Homeland Security Committee, Gottumukkala said that CISA was “getting back on mission” and plans to reverse much of the damage done last year to the agency.

However, some of his responses did not inspire confidence, including a failure to forecast “how many cyber intrusions CISA expects from foreign adversaries as part of the 2026 midterm elections,” the Federal News Network reported. In particular, Rep. Tony Gonzales (R-Texas) criticized Gottumukkala for not having “a specific number in mind.”

“Well, we should have that number,” Gonzales said. “It should first start by how many intrusions that we had last midterm and the midterm before that. I don’t want to wait. I don’t want us waiting until after the fact to be able to go, ‘Yeah, we got it wrong, and it turns out our adversaries influenced our election to that point.’”

Perhaps notably, Gottumukkala also dodged questions about reports that he failed a polygraph when attempting to seek access to other “highly sensitive cyber intelligence,” Politico reported.

The acting director apparently blamed six career CISA staffers for requesting that he agree to the polygraph test, which the staffers said was typical protocol but Gottumukkala later claimed was misleading.

Failing the test isn’t necessarily damning, since anxiety or technical errors could trigger a negative result. However, Gottumukkala appears touchy about the test that he now regrets sitting for, calling the test “unsanctioned” and refusing to discuss the results.

It seems that Gottumukkala felt misled after learning that he could have requested a waiver to skip the polygraph. In a letter suspending those staffers’ security clearances, CISA accused staff of showing “deliberate or negligent failure to follow policies that protect government information.” However, staffers may not have known that he had that option, which is considered a “highly unusual loophole that may not have been readily apparent to career staff,” Politico noted.

Staffers told Politico that Gottumukkala’s tenure has been a “nightmare”—potentially ruining the careers of longtime CISA staffers. It troubles some that it seems that Gottumukkala will remain in his post “for the foreseeable future,” while seeming to politicize the agency and bungle protocols for accessing sensitive information.

According to Nextgov, Gottumukkala plans to right the ship with “a hiring spree in 2026 because its recent reductions have hampered some of the Trump administration’s national security goals.”

In November, the trade publication Cybersecurity Dive reported that Gottumukkala sent a memo confirming the hiring spree was coming that month, while warning that CISA remains “hampered by an approximately 40 percent vacancy rate across key mission areas.” All those cuts were “spurred by the administration’s animus toward CISA over its election security work,” Cybersecurity Dive noted.

“CISA must immediately accelerate recruitment, workforce development, and retention initiatives to ensure mission readiness and operational continuity,” Gottumukkala told staffers at that time, then later went on to reassure Congress this month that the agency has “the required staff” to protect election integrity and national security, Cyberscoop reported.

Photo of Ashley Belanger

Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.

US cyber defense chief accidentally uploaded secret government info to ChatGPT Read More »

lawsuit:-dhs-wants-“unlimited-subpoena-authority”-to-unmask-ice-critics

Lawsuit: DHS wants “unlimited subpoena authority” to unmask ICE critics

censorship, Department of Homeland Security, DHS, First Amendment, ice, Policy / /

Defending online anonymity

DHS is weirdly using import/export rules to expand its authority to identify online critics.

A Border Patrol Tactical Unit agent sprays pepper spray into the face of a protestor attempting to block an immigration officer vehicle from leaving the scene where a woman was shot and killed by a federal agent earlier, in Minneapolis on January 7, 2026. Credit: Star Tribune via Getty Images / Contributor | Star Tribune

The US Department of Homeland Security (DHS) is fighting to unmask the owner of Facebook and Instagram accounts of a community watch group monitoring Immigration and Customs Enforcement (ICE) activity in Pennsylvania.

Defending the right to post about ICE sightings anonymously is a Meta account holder for MontCo Community Watch, John Doe.

Doe has alleged that when the DHS sent a “summons” to Meta asking for subscriber information, it infringed on core First Amendment-protected activity, i.e., the right to publish content critical of government agencies and officials without fear of government retaliation. He also accused DHS of ignoring federal rules and seeking to vastly expand its authority to subpoena information to unmask ICE’s biggest critics online.

“I believe that my anonymity is the only thing standing between me and unfair and unjust persecution by the government of the United States,” Doe said in his complaint.

In response, DHS alleged that the community watch group that posted “pictures and videos of agents’ faces, license plates, and weapons, among other things,” was akin to “threatening ICE agents to impede the performance of their duties.” Claiming that the subpoena had nothing to do with silencing government critics, they argued that a statute regulating imports and exports empowered DHS to investigate the group’s alleged threats to “assault, kidnap, or murder” ICE agents.

DHS claims that Meta must comply with the subpoena because the government needs to investigate a “serious” threat “to the safety of its agents and the performance of their duties.”

On Wednesday, a US district judge will hear arguments to decide if Doe is right or if DHS can broadly unmask critics online by claiming it’s investigating supposed threats to ICE agents. With more power, DHS officials have confirmed they plan to criminally prosecute critics posting ICE videos online, Doe alleged in a lawsuit filed last October.

DHS seeking “unlimited subpoena authority”

DHS alleged that the community watch group posting “pictures and videos of agents’ faces, license plates, and weapons, among other things,” was akin to “threatening ICE agents to impede the performance of their duties.” Claiming that the subpoena had nothing to do with silencing government critics, they argued that DHS is authorized to investigate the group and that compelling interest supersedes Doe’s First Amendment rights.

According to Doe’s most recent court filing, DHS is pushing a broad reading of a statute that empowers DHS to subpoena information about the “importation/exportation of merchandise”—like records to determine duties owed or information to unmask a drug smuggler or child sex trafficker. DHS claims the statute isn’t just about imports and exports but also authorizes DHS to seize information about anyone they can tie to an investigation of potential crimes that violate US customs laws.

However, it seems to make no sense, Doe argued, that Congress would “silently embed unlimited subpoena authority in a provision keyed to the importation of goods.” Doe hopes the US district judge will agree that DHS’s summons was unconstitutional.

“The subscriber information for social media accounts publishing speech critical of ICE that DHS seeks is completely unrelated to the importation/exportation of merchandise; the records are outside the scope of DHS’s summons power,” Doe alleged.

And even if the court agrees on DHS’s reading of the statute, DHS has not established that unmasking the owner of the community watch accounts would be relevant to any legitimate criminal investigation, Doe alleged.

Doe’s posts were “pretty innocuous,” lawyer says

To convince the court that the case was really about chilling speech, Doe attached every post made on the group’s Facebook and Instagram feeds. None show threats or arguably implicit threats to “assault, kidnap, or murder any federal official,” as DHS claimed. Instead, the users shared “information and resources about immigrant rights, due process rights, fundraising, and vigils,” Doe said.

Ariel Shapell, an attorney representing Doe at the American Civil Liberties Union of Pennsylvania, told Ars that “if you go and look at the content on the Facebook and Instagram profiles at issue here, it’s pretty innocuous.”

DHS claimed to have received information about the group supposedly “stalking and gathering of intelligence on federal agents involved in ICE operations.” However, Doe argued that “unsurprisingly, neither DHS nor its declarant cites any post even allegedly constituting any such threat. To the contrary, all posts on these social media accounts constitute speech addressing important public issues fully protected under the First Amendment,” Doe argued.

“Reporting on, or even livestreaming, publicly occurring immigration operations is fully protected First Amendment activity,” Doe argued. “DHS does not, and cannot, show how such conduct constitutes an assault, kidnapping, or murder of a federal law enforcement officer, or a threat to do any of those things.”

Anti-ICE backlash mounting amid ongoing protests

Doe’s motion to quash the subpoena arrives at a time when recent YouGov polling suggests that Americans have reached a tipping point in ending support for ICE. YouGov’s poll found more people disapprove of how ICE is handling its job than approve, following the aftermath of nationwide anti-ICE protests over Renee Good’s killing. ICE critics have used footage of tragic events—like Good’s death and eight other ICE shootings since September—to support calls to remove ICE from embattled communities and abolish ICE.

As sharing ICE footage has swayed public debate, DHS has seemingly sought to subpoena Meta and possibly other platforms for subscriber information.

In October, Meta refused to provide names of users associated with Doe’s accounts—as well as “postal code, country, all email address(es) on file, date of account creation, registered telephone numbers, IP address at account signup, and logs showing IP address and date stamps for account accesses”—without further information from DHS. Meta then gave Doe the opportunity to move to quash the subpoena to stop the company from sharing information.

That request came about a week after DHS requested similar information from Meta about six Instagram community watch groups that shared information about ICE activity in Los Angeles and other locations. DHS withdrew those requests after account holders defended First Amendment rights and filed motions to quash the subpoena, Doe’s court filing said.

It’s unclear why DHS withdrew those subpoenas but maintained Doe’s. DHS has alleged that the government’s compelling interest in Doe’s identity outweighs First Amendment rights to post anonymously online. The agency also claimed it has met its burden to unmask Doe as “someone who is allegedly involved in threatening ICE agents and impeding the performance of their duties,” which supposedly “touches DHS’s investigation into threats to ICE agents and impediments to the performance of their duties.”

Whether Doe will prevail is hard to say, but Politico reported that DHS’s “defense will rest on whether DHS’s argument that posting videos and images of ICE officers and warnings about arrests is considered criminal activity.” It may weaken DHS’s case that Border Patrol Tactical Commander Greg Bovino recently circulated a “legal refresher” for agents in the field, reminding them that protestors are allowed to take photos and videos of “an officer or operation in public,” independent journalist Ken Klippenstein reported.

Shapell told Ars that there seems to be “a lot of distance” between the content posted on Doe’s accounts and relevant evidence that could be used in DHS’s alleged investigation into criminal activity. And meanwhile, “there are just very clear First Amendment rights here to associate with other people anonymously online and to discuss political opinions online anonymously,” Shapell said, which the judge may strongly uphold as core protected activity as threats of government retaliation mount.

“These summonses chill people’s desire to communicate about these sorts of incredibly important developments on the Internet, even anonymously, when there’s a threat that they could be unmasked and investigated for this really core First Amendment protected activity,” Shapell said.

A win could reassure Meta users that they can continue posting about ICE online without fear of retaliation should Meta be pressed to share their information.

Ars could not immediately reach DHS for comment. Meta declined to comment, only linking Ars to an FAQ to help users understand how the platform processes government requests.

Photo of Ashley Belanger

Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.

Lawsuit: DHS wants “unlimited subpoena authority” to unmask ICE critics Read More »

dhs-offers-“disturbing-new-excuses”-to-seize-kids’-biometric-data,-expert-says

DHS offers “disturbing new excuses” to seize kids’ biometric data, expert says

biometric data, cbp, customs and border protection, Department of Homeland Security, DHS, DNA testing, face scans, ice, iris scans, Policy, voice prints / /

Sweeping DHS power grab would collect face, iris, voice scans of all immigrants.

Civil and digital rights experts are horrified by a proposed rule change that would allow the Department of Homeland Security to collect a wide range of sensitive biometric data on all immigrants, without age restrictions, and store that data throughout each person’s “lifecycle” in the immigration system.

If adopted, the rule change would allow DHS agencies, including Immigration and Customs Enforcement (ICE), to broadly collect facial imagery, finger and palm prints, iris scans, and voice prints. They may also request DNA, which DHS claimed “would only be collected in limited circumstances,” like to verify family relations. These updates would cost taxpayers $288.7 million annually, DHS estimated, including $57.1 million for DNA collection alone. Annual individual charges to immigrants submitting data will likely be similarly high, estimated at around $231.5 million.

Costs could be higher, DHS admitted, especially if DNA testing is conducted more widely than projected.

“DHS does not know the full costs to the government of expanding biometrics collection in terms of assets, process, storage, labor, and equipment,” DHS’s proposal said, while noting that from 2020 to 2024, the US only processed such data from about 21 percent of immigrants on average.

Alarming critics, the update would allow DHS for the first time to collect biometric data of children under 14, which DHS claimed would help reduce human trafficking and other harms by making it easier to identify kids crossing the border unaccompanied or with a stranger.

Jennifer Lynch, general counsel for a digital rights nonprofit called the Electronic Frontier Foundation, told Ars that EFF joined Democratic senators in opposing a prior attempt by DHS to expand biometric data collection in 2020.

There was so much opposition to that rule change that DHS ultimately withdrew it, Lynch noted, but DHS confirmed in its proposal that the agency expects more support for the much broader initiative under the current Trump administration. Quoting one of Trump’s earliest executive orders in this term, directing DHS to “secure the border,” DHS suggested it was the agency’s duty to use “any available technologies and procedures to determine the validity of any claimed familial relationship between aliens encountered or apprehended by the Department of Homeland Security.”

Lynch warned that DHS’s plan to track immigrants over time, starting as young as possible, would allow DHS “to track people without their knowledge as they go about their lives” and “map families and connections in whole communities over time.”

“This expansion poses grave threats to the privacy, security, and liberty of US citizens and non-citizens,” Lynch told Ars, noting that “the federal government, including DHS, has failed to protect biometric data in the past.”

“Risks from security breaches to children’s biometrics are especially acute,” she said. “Large numbers of children are already victims of identity theft.”

By maintaining a database, the US also risks chilling speech, as immigrants weigh risks of social media comments—which DHS already monitors—possibly triggering removals or arrests.

“People will be less likely to speak out on any issue for fear of being tracked and facing severe reprisals, like detention and deportation, that we’ve already seen from this administration,” Lynch told Ars.

DHS also wants to collect more biometric data on US citizens and permanent residents who sponsor immigrants or have familial ties. Esha Bhandari, director of the ACLU’s speech, privacy, and technology project, told Ars that “we should all be concerned that the Trump administration is potentially building a vast database of people’s sensitive, unchangeable information, as this will have serious privacy consequences for citizens and noncitizens alike.”

“DHS continues to explore disturbing new excuses to collect more DNA and other sensitive biometric information, from the sound of our voice to the unique identifiers in our irises,” Bhandari said.

EFF previously noted that DHS’s biometric database was already the second largest in the world. By expanding it, DHS estimated that the agency would collect “about 1.12 million more biometrics submissions” annually, increasing the current baseline to about 3.19 million.

As the data pool expands, DHS plans to hold onto the data until an immigrant who has requested benefits or otherwise engaged with DHS agencies is either granted citizenship or removed.

Lynch suggested that “DHS cites questionable authority for this massive change to its practices,” which would “exponentially expand the federal government’s ability to collect biometrics from anyone associated with any immigration benefit or request—including US citizens and children of any age.”

“Biometrics are unique to each of us and can’t be changed, so these threats exists as long as the government holds onto our data,” Lynch said.

DHS will collect more data on kids than adults

Not all agencies will require all forms of biometric data to be submitted “instantly” if the rule change goes through, DHS said. Instead, agencies will assess their individual needs, while supposedly avoiding repetitive data collection, so that data won’t be collected every time someone is required to fill out a form.

DHS said it “recognizes” that its sweeping data collection plans that remove age restrictions don’t conform with Department of Justice policies. But the agency claimed there was no conflict since “DHS regulatory provisions control all DHS biometrics collections” and “DHS is not authorized to operate or collect biometrics under DOJ authorities.”

“Using biometrics for identity verification and management” is necessary, DHS claimed, because it “will assist DHS’s efforts to combat trafficking, confirm the results of biographical criminal history checks, and deter fraud.”

Currently, DHS is seeking public comments on the rule change, which can be submitted over the next 60 days ahead of a deadline on January 2, 2026. The agency suggests it “welcomes” comments, particularly on the types of biometric data DHS wants to collect, including concerns about the “reliability of technology.”

If approved, DHS said that kids will likely be subjected to more biometric data collection than adults. Additionally, younger kids will be subjected to processes that DHS formerly limited to only children age 14 and over.

For example, DHS noted that previously, “policies, procedures, and practices in place at that time” restricted DHS from running criminal background checks on children.

However, DHS claims that’s now appropriate, including in cases where children were trafficked or are seeking benefits under the Violence Against Women Act and, therefore, are expected to prove “good moral character.”

“Generally, DHS plans to use the biometric information collected from children for identity management in the immigration lifecycle only, but will retain the authority for other uses in its discretion, such as background checks and for law enforcement purposes,” DHS’s proposal said.

The changes will also help protect kids from removals, DHS claimed, by making it easier for an ICE attorney to complete required “identity, law enforcement, or security investigations or examinations.” As DHS explained:

DHS proposes to collect biometrics at any age to ensure the immigration records created for children can be related to their adult records later, and to help combat child trafficking, smuggling, and labor exploitation by facilitating identity verification, while also confirming the absence of criminal history or associations with terrorist organizations or gang membership.

A top priority appears to be tracking kids’ family relationships.

“DHS’s ability to collect biometrics, including DNA, regardless of a minor’s age, will allow DHS to accurately prove or disprove claimed genetic relationships among apprehended aliens and ensure that unaccompanied alien children (UAC) are properly identified and cared for,” the proposal said.

But DHS acknowledges that biometrics won’t help in some situations, like where kids are adopted. In those cases, DHS will still rely on documentation like birth certificates, medical records, and “affidavits to support claims based on familial relationships.”

It’s possible that some DHS agencies may establish an age threshold for some data collection, the rule change noted.

A day after the rule change was proposed, 42 comments have been submitted. Most were critical, but as Lynch warned, speaking out seemed risky, with many choosing to anonymously criticize the initiative as violating people’s civil rights and making the US appear more authoritarian.

One anonymous user cited guidance from the ACLU and the Electronic Privacy Information Center, while warning that “what starts as a ‘biometrics update’ could turn into widespread privacy erosion for immigrants and citizens alike.”

The commenter called out DHS for seriously “talking about harvesting deeply personal data that could track someone forever” and subjecting “infants and toddlers” to “iris scans or DNA swabs.”

“You pitch it as a tool against child trafficking, which is a real issue, but does swabbing a newborn really help, or does it just create a lifelong digital profile starting at day one?” the commenter asked. “Accuracy for growing kids is questionable, and the [ACLU] has pointed out how this disproportionately burdens families. Imagine the hassle for parents—it’s not protection; it’s preemptively treating every child like a data point in a government file.”

Photo of Ashley Belanger

Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.

DHS offers “disturbing new excuses” to seize kids’ biometric data, expert says Read More »