Auditors urge DHS to assess privacy risks in data-mining program
Project has the potential to misidentify people and mistakenly associate them with terrorism or other crimes.
The Homeland Security Department has not built adequate privacy protections into a data-mining program under development, increasing the risk that innocent people could be tagged as terrorists or criminals, government auditors concluded in a report Wednesday.
A Government Accountability Office investigation of the department's Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE) program is sure to fuel controversy between officials who defend data-mining tactics and privacy advocates who say the government is overreaching.
The ADVISE program has been under development since 2003 and is intended to help counterterrorism analysts sift through huge volumes of structured information, such as information in a database, and unstructured data, such as e-mails and news articles.
The program helps an analyst search for patterns in data, including relationships among people, organizations and events, and then produces visual representations of these patterns, referred to as semantic graphs.
The Homeland Security Department says it will build adequate privacy protections into the program as it becomes operational.
But GAO said the department must "immediately" conduct a privacy impact assessment for the program to identify privacy risks and implement adequate controls.
"Use of the ADVISE tool raises a number of privacy concerns," GAO said.
"DHS has added security controls to the ADVISE tool, including access restrictions, authentication procedures, and security auditing capability," GAO said. "However, it has not assessed privacy risks.
"Privacy risks that could apply to ADVISE include the potential for erroneous association of individuals with crime or terrorism, the misidentification of individuals with similar names, and the use of data that were collected for other purposes."
The Homeland Security inspector general is also conducting an investigation into the ADVISE program.
The GAO investigation was requested last year by House Appropriations Chairman David Obey, D-Wis., and former House Homeland Security Appropriations Subcommittee ranking member Martin Olav Sabo, D-Minn. The IG investigation was requested by congressional appropriators.
In response to the GAO report, the Homeland Security Department said the ADVISE program "is a set of generic IT tools and does not in itself collect or use any data."
The department added that a privacy impact assessment is "not well suited" for a tool like ADVISE, adding that a "privacy technology implementation guide" is being developed instead for the program.
Homeland Security Secretary Michael Chertoff also defended ADVISE during a speech last week before the Northern Virginia Technology Council.
"When I was investigating cases and we collected a lot of evidence ... you had to spend days and weeks sitting in a room reading it, analyzing it, taking little yellow stickies and putting them up on the wall to see what the connections and the links were, and that's how we built cases," said Chertoff, referring to his past work as a federal prosecutor.
"What we're talking about doing now is building a tool that does the same thing, but instead of doing it over a period of weeks and months, does it over a period of minutes and hours," he said.