Rumsfeld tours Lithuania’s KGB Museum, a torture site during the Stalin era, in October 2005

The demonstration seemed harmless enough. Late on a June afternoon in 2004, a motley group of about 10 peace activists showed up outside the Houston headquarters of Halliburton, the giant military contractor once headed by Vice President Dick Cheney. They were there to protest the corporation's supposed "war profiteering." The demonstrators wore papier-mache masks and handed out free peanut-butter-and-jelly sandwiches to Halliburton employees as they left work. The idea, according to organizer Scott Parkin, was to call attention to allegations that the company was overcharging on a food contract for troops in Iraq. "It was tongue-in-street political theater," Parkin says.

But that's not how the Pentagon saw it. To U.S. Army analysts at the top-secret Counterintelligence Field Activity (CIFA), the peanut-butter protest was regarded as a potential threat to national security. Created three years ago by the Defense Department, CIFA's role is "force protection"—tracking threats and terrorist plots against military installations and personnel inside the United States. In May 2003, Paul Wolfowitz, then deputy Defense secretary, authorized a fact-gathering operation code-named TALON—short for Threat and Local Observation Notice—that would collect "raw information" about "suspicious incidents." The data would be fed to CIFA to help the Pentagon's "terrorism threat warning process," according to an internal Pentagon memo.

A Defense document shows that Army analysts wrote a report on the Halliburton protest and stored it in CIFA's database. It's not clear why the Pentagon considered the protest worthy of attention—although organizer Parkin had previously been arrested while demonstrating at ExxonMobil headquarters (the charges were dropped). But there are now questions about whether CIFA exceeded its authority and conducted unauthorized spying on innocent people and organizations. A Pentagon memo obtained by NEWSWEEK shows that the deputy Defense secretary now acknowledges that some TALON reports may have contained information on U.S. citizens and groups that never should have been retained. The number of reports with names of U.S. persons could be in the thousands, says a senior Pentagon official who asked not be named because of the sensitivity of the subject.

CIFA's activities are the latest in a series of disclosures about secret government programs that spy on Americans in the name of national security. In December, the ACLU obtained documents showing the FBI had investigated several activist groups, including People for the Ethical Treatment of Animals and Greenpeace, supposedly in an effort to discover possible ecoterror connections. At the same time, the White House has spent weeks in damage-control mode, defending the controversial program that allowed the National Security Agency to monitor the telephone conversations of U.S. persons suspected of terror links, without obtaining warrants.

Last Thursday, Cheney called the program "vital" to the country's defense against Al Qaeda. "Either we are serious about fighting this war on terror or not," he said in a speech to the Manhattan Institute, a conservative think tank. But as the new information about CIFA shows, the scope of the U.S. government's spying on Americans may be far more extensive than the public realizes.

It isn't clear how many groups and individuals were snagged by CIFA's dragnet. Details about the program, including its size and budget, are classified. In December, NBC News obtained a 400-page compilation of reports that detailed a portion of TALON's surveillance efforts. It showed the unit had collected information on nearly four dozen antiwar meetings or protests, including one at a Quaker meetinghouse in Lake Worth, Fla., and a Students Against War demonstration at a military recruiting fair at the University of California, Santa Cruz. A Pentagon spokesman declined to say why a private company like Halliburton would be deserving of CIFA's protection. But in the past, Defense Department officials have said that the "force protection" mission includes military contractors since soldiers and Defense employees work closely with them and therefore could be in danger.

CIFA researchers apparently cast a wide net and had a number of surveillance methods—both secretive and mundane—at their disposal. An internal CIFA PowerPoint slide presentation recently obtained by William Arkin, a former U.S. Army intelligence analyst who writes widely about military affairs, gives some idea how the group operated. The presentation, which Arkin provided to NEWSWEEK, shows that CIFA analysts had access to law-enforcement reports and sensitive military and U.S. intelligence documents. (The group's motto appears at the bottom of each PowerPoint slide: "Counterintelligence 'to the Edge'.") But the organization also gleaned data from "open source Internet monitoring." In other words, they surfed the Web.

That may have been how the Pentagon came to be so interested in a small gathering outside Halliburton. On June 23, 2004, a few days before the Halliburton protest, an ad for the event appeared on houston.indymedia.org, a Web site for lefty Texas activists. "Stop the war profiteers," read the posting. "Bring out the kids, relatives, Dick Cheney, and your favorite corporate pigs at the trough as we will provide food for free."

Four months later, on Oct. 25, the TALON team reported another possible threat to national security. The source: a Miami antiwar Web page. "Website advertises protest planned at local military recruitment facility," the internal report warns. The database entry refers to plans by a south Florida group called the Broward Anti-War Coalition to protest outside a strip-mall recruiting office in Lauderhill, Fla. The TALON entry lists the upcoming protest as a "credible" threat. As it turned out, the entire event consisted of 15 to 20 activists waving a giant BUSH LIED sign. No one was arrested. "It's very interesting that the U.S. military sees a domestic peace group as a threat," says Paul Lefrak, a librarian who organized the protest.

Arkin says a close reading of internal CIFA documents suggests the agency may be expanding its Internet monitoring, and wants to be as surreptitious as possible. CIFA has contracted to buy "identity masking" software that would allow the agency to create phony Web identities and let them appear to be located in foreign countries, according to a copy of the contract with Computer Sciences Corp. (The firm declined to comment.)

Pentagon officials have broadly defended CIFA as a legitimate response to the domestic terror threat. But at the same time, they acknowledge that an internal Pentagon review has found that CIFA's database contained some information that may have violated regulations. The department is not allowed to retain information about U.S. citizens for more than 90 days—unless they are "reasonably believed" to have some link to terrorism, criminal wrongdoing or foreign intelligence. There was information that was "improperly stored," says a Pentagon spokesman who was authorized to talk about the program (but not to give his name). "It was an oversight." In a memo last week, obtained by NEWSWEEK, Deputy Defense Secretary Gordon England ordered CIFA to purge such information from its files—and directed that all Defense Department intelligence personnel receive "refresher training" on department policies.

That's not likely to stop the questions. Last week Democrats on the Senate intelligence committee pushed for an inquiry into CIFA's activities and who it's watching. "This is a significant Pandora's box [Pentagon officials] don't want opened," says Arkin. "What we're looking at is hints of what they're doing." As far as the Pentagon is concerned, that means we've already seen too much.