Data-mining programs at the U.S. Department of Homeland Security are not fully reviewed by the agency for their effectiveness and, in some cases, for their compliance with privacy protection mandates, according to a report from the U.S. Government Accountability Office.
The GAO report, made public Friday, raises questions about the effect of DHS data mining on the privacy of U.S. residents, said two Democratic lawmakers.
DHS policies don't sufficiently require that the agency evaluate the effectiveness of the data-mining programs, although the agency is planning more intensive reviews of IT investments, the GAO report said. "Until such reforms are in place, DHS and its component agencies may not be able to ensure that critical data mining systems used in support of counterterrorism are both effective and that they protect personal privacy," the report said.
DHS has not completed privacy impact assessments for two of the six data-mining programs the GAO reviewed, the report said.
In addition, DHS violated its own privacy rules by sharing information from the Immigration and Customs Enforcement Pattern Analysis and Information Collection (ICEPIC) program with state and local law enforcement agencies, said Representatives Brad Miller of North Carolina and Donna Edwards of Maryland, both Democratic members of the House Science, Space and Technology Committee.
One of the "most disturbing findings" by the GAO was that ICEPIC rolled out its law enforcement sharing component before it was approved by the DHS privacy office, Miller and Edwards said in a press release. The program violates the DHS privacy impact assessment created for the program, the GAO report said.
CEPIC is used to identify "non-obvious relationship patterns among individuals and organizations that are indicative of violations of customs and immigration laws or terrorist threats," according to DHS.
"Government data mining should have tough-minded oversight if we're going to keep Americans safe from terrorism, avoid wasting tax dollars on one boondoggle technology after another, and protect the privacy of innocent Americans," Miller said in a statement. "The intelligence community has to stop using the legitimate need for some secrecy in counter-terrorism to hide from oversight, and Congress needs to get over our 'gee-whiz' attitude when we deal with the intelligence community."
A DHS spokeswoman didn't immediately respond to a request for comments on the GAO report, but the agency agreed with the GAO recommendations in the report. DHS is committed to ensuring that the data-mining programs are "adequately reviewed, deliver required capabilities, appropriately protect individual privacy, and maintain appropriate transparency to the public," wrote Jim Crumpacker, director of the GAO liaison office at DHS.
The privacy office at DHS has begun an investigation into the ICEPIC program, Edwards and Miller said.
"It is alarming that DHS needed GAO to point out that the agency's data mining program has been violating its own privacy protocols for more than three years by sharing sensitive personal information with local, state, and federal officials," Edwards said in a statement.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.