Data securityGAO report: DHS data mining puts personal information at risk

Published 20 October 2011

A recent Government Accountability Office (GAO) report found that DHS and its sub-agencies do not properly protect personal information when conducting counterterrorism investigations

A recent Government Accountability Office (GAO) report found that DHS and its sub-agencies do not properly protect personal information when conducting counterterrorism investigations.

To help spot terrorist threats, DHS and its sub-agencies collect and analyze information that includes data about individuals using various techniques to identify hidden patterns, spot relationships between data, or discover evidence on massive databases in a process called data-mining.

When conducting data-mining operations, GAO determined that DHS did not adequately review the privacy and effectiveness of its data-mining systems which led to the potential compromise of personal information.

As a result of gaps in agency evaluation policies and shortfalls in system evaluations, GAO concluded that “DHS and its component agencies may not be able to ensure that critical data mining systems used in support of counterterrorism are both effective and that they protect personal privacy.”

In analyzing its data, GAO found that DHS, U.S. Customs and Border Protection (CBP), Immigration and Customs Enforcement (ICE), and U.S. Citizenship and Immigration Service (USCIS) did not have effective framework in place for proper oversight of the systems.

GAO was careful to note that DHS and its sub-agencies had policies in place that largely addressed transparency and oversight, but none of the systems “performed all of the key activities associated with an effective evaluation framework.”

For instance ICE’s Pattern Analysis and Information Collection system (ICEPIC) was particularly problematic as a privacy assessment was performed before the system had been completed. As a result, officials purchased and installed components later that granted outside agencies access to individual’s personal data without having to report or disclose it, placing that information at risk.

To help improve privacy protection, GAO recommended that DHS develop “requirements for providing additional scrutiny of privacy protections for the sensitive information systems that are not transparent to the public through privacy impact assessments.”

Bolstering privacy protections will become increasingly crucial as the federal government ramps up its data mining operations in an effort to review intelligence and unearth terrorist plots.