DHS must assess privacy risk before using data mining tool, GAO says

Computerworld - A tool being developed by the U.S. Department of Homeland Security (DHS) to help it sift through large volumes of data in the search for terrorist threats poses several privacy concerns, the Government Accountability Office (GAO) warned in a report released yesterday. The agency also called on the DHS to conduct a privacy impact assessment of the tool immediately to help ameliorate those risks.

The tool, called ADVISE, for Analysis, Dissemination, Visualization, Insight and Semantic Enhancement, is designed to cull very large databases and search for patterns, such as relationships between individuals and organizations, to ferret out suspicious people or activity. ADVISE is currently under development by the DHS.

In its report, the GAO raised questions about whether ADVISE could erroneously associate individuals with terrorism because of faulty data, misidentify people with similar names and rely on data collected for other purposes.

The DHS has added some security controls over ADVISE, such as data access restrictions and strong authentication processes. But these are not enough to address broader privacy concerns, the GAO said.

"A privacy impact assessment would identify specific privacy risks and help officials determine what controls are needed to mitigate those risks," the agency noted. Doing so now, while the tool is still being developed, would make it easier to implement effective controls, the report said.

In a response to the GAO report, the DHS said that ADVISE is little more than a "generic set of IT tools" that do not actually gather or use any personal data. Rather, they are simply designed to sift through and analyze information from several existing databases from multiple sources. As a result, ADVISE does not need a formal privacy impact assessment of the sort called for by the GAO, the agency said.

But the GAO noted that the tool's intended uses include applications involving personal data, which would bring it under the purview of the E-Government Act. That law emphasizes the need for privacy impact assessments.

"We agree that it is a tool that is intended to help analysts make decisions," Linda Koontz, director of information management issues at the GAO and author of the report, said in e-mailed comments to Computerworld. "Nonetheless, ADVISE has significant privacy implications.

"Our point is that these privacy implications need to be thoroughly analyzed early in the development process," she said. "ADVISE is clearly intended to analyze personal information and, therefore, we think this assessment is required now so that technical controls can be built into the application."

Christopher Pierson, a partner with Lewis and Roca LLP, a Phoenix-based law-firm, agreed with the GAO's recommendations.

"The ADVISE tool, as I understand it, is just being run over already existing databases from multiple owners," Pierson said. It does not store or create records of individuals. But when a suspicious person is identified, that information will be collected and disseminated to others. Such dissemination is covered by the E-Government Act and will require a privacy impact assessment first, he said.

"It may not be right now, but sometime or the other that line has to be crossed," he said. "The bottom line is [that] the most important place for privacy to be considered is at the early stages of any data collection or analysis activity in the federal government. They have to be done early and often."