GAO-07-293, Data Mining: Early Attention to Privacy in Developing a Key DHS Program Could Reduce Risks


This is the accessible text file for GAO report number GAO-07-293 
entitled 'Data Mining: Early Attention to Privacy in Developing a Key 
DHS Program Could Reduce Risks' which was released on March 21, 2007. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Chairman, Committee on Appropriations, House of 
Representatives: 

United States Government Accountability Office: 

GAO: 

February 2007: 

Data Mining: 

Early Attention to Privacy in Developing a Key DHS Program Could Reduce 
Risks: 

GAO-07-293: 

GAO Highlights: 

Highlights of GAO-07-293, a report to the Chairman, Committee on 
Appropriations, House of Representatives 

Why GAO Did This Study: 

The government’s interest in using technology to detect terrorism and 
other threats has led to increased use of data mining. A technique for 
extracting useful information from large volumes of data, data mining 
offers potential benefits but also raises privacy concerns when the 
data include personal information. 

GAO was asked to review the development by the Department of Homeland 
Security (DHS) of a data mining tool known as ADVISE (Analysis, 
Dissemination, Visualization, Insight, and Semantic Enhancement). 
Specifically, GAO was asked to determine (1) the tool’s planned 
capabilities, uses, and associated benefits and (2) whether potential 
privacy issues could arise from using it to process personal 
information and how DHS has addressed any such issues. GAO reviewed 
program documentation and discussed these issues with DHS officials. 

What GAO Found: 

ADVISE is a data mining tool under development intended to help DHS 
analyze large amounts of information. It is designed to allow an 
analyst to search for patterns in data—such as relationships among 
people, organizations, and events—and to produce visual representations 
of these patterns, referred to as semantic graphs (see fig.) None of 
the three planned DHS implementations of ADVISE that GAO reviewed are 
fully operational. (GAO did not review uses of the tool by the DHS 
Office of Intelligence and Analysis.) The intended benefit of the 
ADVISE tool is to help detect threatening activities by facilitating 
the analysis of large amounts of data. DHS is currently in the process 
of testing the tool’s effectiveness. 

Use of the ADVISE tool raises a number of privacy concerns. DHS has 
added security controls to the tool; however, it has not assessed 
privacy risks. Privacy risks that could apply to ADVISE include the 
potential for erroneous association of individuals with crime or 
terrorism and the misidentification of individuals with similar names. 
A privacy impact assessment would identify specific privacy risks and 
help officials determine what controls are needed to mitigate those 
risks. ADVISE has not undergone such an assessment because DHS 
officials believe it is not needed given that the tool itself does not 
contain personal data. However, the tool’s intended uses include 
applications involving personal data, and the E-Government Act and 
related guidance emphasize the need to assess privacy risks early in 
systems development. Further, if an assessment were conducted and 
privacy risks identified, a number of controls could be built into the 
tool to mitigate those risks. For example, controls could be 
implemented to ensure that personal information is used only for a 
specified purpose or compatible purposes, and they could provide the 
capability to distinguish among individuals that have similar names to 
address the risk of misidentification. Because privacy has not been 
assessed and mitigating controls have not been implemented, DHS faces 
the risk that ADVISE-based system implementations containing personal 
information may require costly and potentially duplicative retrofitting 
at a later date to add the needed controls. 

What GAO Recommends: 

To ensure that privacy protections are in place, GAO is recommending 
that the Secretary of Homeland Security immediately conduct a privacy 
impact assessment of the ADVISE tool and implement privacy controls, as 
needed, to mitigate any identified risks. 

DHS generally agreed with the content of this report and described 
actions initiated to address GAO’s recommendations. 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-293]. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Linda Koontz at (202) 512-
6240 or koontzl@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

ADVISE Is Intended to Help Identify Patterns of Interest to Homeland 
Security Analysts: 

DHS Has Not Yet Addressed Key Privacy Risks Associated with Expected 
Uses of the ADVISE Tool: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Comments from the Department of Homeland Security: 

Appendix III: GAO Contact and Staff Acknowledgments: 

Table: 

Table 1: Fair Information Practices: 

Figures: 

Figure 1: An Overview of the Data Mining Process: 

Figure 2: Major Elements and Functions of ADVISE: 

Figure 3: Typical Semantic Graph: 

Abbreviations: 

ADVISE: Analysis, Dissemination, Visualization, Insight, and Semantic 
Enhancement: 
DHS: Department of Homeland Security: 
ICAHST: Interagency Center for Applied Homeland Security Technology: 
OECD: Organization for Economic Cooperation and Development: 
OMB: Office of Management and Budget: 
PIA: privacy impact assessment: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

February 28, 2007: 

The Honorable David R. Obey: 
Chairman, Committee on Appropriations: 
House of Representatives: 

Dear Mr. Chairman: 

Since the terrorist attacks of September 11, 2001, there has been an 
increasing focus on the need to prevent and detect terrorist threats 
through technological means. Data mining--a technique for extracting 
useful information from large volumes of data--is one type of analysis 
that has been used increasingly by the government to help detect 
terrorist threats. While data mining offers a number of promising 
benefits, its use also raises privacy concerns when the data include 
personal information.[Footnote 1] 

Federal agency use of personal information is governed primarily by the 
Privacy Act of 1974 and the E-Government Act of 2002, which prescribe 
specific activities that agencies must perform to protect privacy, such 
as (1) ensuring that personal information is used only for a specified 
purpose, or related purposes, and that it is accurate for those 
purposes and (2) conducting assessments of privacy risks associated 
with information technology used to process personal information, known 
as privacy impact assessments.[Footnote 2] Agencies that wish to reap 
the potential benefits of data mining are faced with the challenge of 
implementing adequate privacy controls for the systems that they use to 
perform these analyses. 

You asked us to review the Department of Homeland Security's (DHS) 
development of an analytical tool known as Analysis, Dissemination, 
Visualization, Insight, and Semantic Enhancement (ADVISE). 
Specifically, we agreed with your staff that our objectives were to 
determine (1) the planned capabilities, uses, and associated benefits 
of the ADVISE tool and (2) whether potential privacy issues could arise 
from using ADVISE to process personal information and how DHS has 
addressed any such issues. Our review did not include intelligence 
applications, such as uses of the tool by the DHS Office of 
Intelligence and Analysis. 

To address our first objective, we identified and analyzed the ADVISE 
tool's planned capabilities, uses, and associated benefits. We reviewed 
program documentation, including annual program execution plans, and 
interviewed agency officials responsible for managing and implementing 
the program. We also interviewed officials at DHS components that have 
begun to implement the tool[Footnote 3] in order to identify their 
current or planned uses, the progress of their implementation, and the 
benefits they hope to gain. 

To address our second objective, we searched for potential privacy 
concerns by reviewing relevant reports, including prior GAO reports and 
the DHS Privacy Office 2006 report on data mining.[Footnote 4] We 
identified and analyzed actions to comply with the Privacy Act of 1974 
and the E-Government Act of 2002. We also interviewed technical experts 
within the DHS Science and Technology Directorate and personnel 
responsible for implementing ADVISE at DHS components to assess privacy 
controls included in the ADVISE tool, as well as the quality assurance 
processes for data analyzed using ADVISE. We performed our work from 
June 2006 to December 2006 in the Washington, D.C., metropolitan area 
and Laurel, Maryland. Our work was performed in accordance with 
generally accepted government auditing standards. Our objectives, 
scope, and methodology are discussed in more detail in appendix I. 

Results in Brief: 

ADVISE is a data mining tool under development that is intended to 
facilitate the analysis of large amounts of data. It is designed to 
accommodate both structured data (such as information in a database) 
and unstructured data (such as e-mail texts, reports, and news 
articles) and to allow an analyst to search for patterns in data, 
including relationships among entities (such as people, organizations, 
and events), and to produce visual representations of these patterns, 
referred to as semantic graphs. Although none are fully operational, 
DHS's planned uses of this tool include implementations at four 
departmental components (including Immigration and Customs Enforcement 
and other components).[Footnote 5] DHS is also considering further 
deployments of ADVISE. The intended benefit of the ADVISE tool is to 
help detect activities that threaten the United States by facilitating 
the analysis of large amounts of data that otherwise would be very 
difficult to review. DHS is currently in the process of testing the 
tool's effectiveness. 

Use of the ADVISE tool raises a number of privacy concerns. DHS has 
added security controls to the ADVISE tool, including access 
restrictions, authentication procedures, and security auditing 
capability. However, it has not assessed privacy risks. Privacy risks 
that could apply to ADVISE include the potential for erroneous 
association of individuals with crime or terrorism, the 
misidentification of individuals with similar names, and the use of 
data that were collected for other purposes. A privacy impact 
assessment would determine the specific privacy risks associated with 
ADVISE and help officials determine what controls are needed to 
mitigate those risks. Although DHS officials are considering conducting 
a modified version of such an assessment, the ADVISE tool has not yet 
been assessed because department officials believe it is not needed 
given that the ADVISE tool itself does not contain personal data. 
However, the tool's intended uses include applications involving 
personal information, and the E-Government Act, as well as related 
Office of Management and Budget and DHS guidance, emphasize the need to 
assess privacy risks early in systems development. Further, if a 
privacy impact assessment were conducted now and privacy risks 
identified, a number of controls exist that could be built into the 
tool to mitigate those risks. For example, controls could be 
implemented to ensure that personal information is used only for a 
specified purpose or compatible purposes, or they could provide the 
capability to distinguish among individuals that have similar names (a 
process known as disambiguation) to address the risk of 
misidentification. Because privacy risks such as these have not been 
assessed and decisions about mitigating controls have not been made, 
DHS faces the likelihood that ADVISE-based system implementations 
containing personal information may require costly and potentially 
duplicative retrofitting at a later date to add the needed privacy 
controls. 

To ensure that privacy protections are in place before DHS proceeds 
with implementations of systems based on ADVISE, we are recommending 
that the Secretary of Homeland Security immediately conduct a privacy 
impact assessment of the ADVISE tool to identify privacy risks and 
implement privacy controls to mitigate those risks. 

We obtained oral and written comments on a draft of this report from 
DHS. In its comments DHS generally agreed with the content of this 
report and described actions initiated to address our recommendations. 

Background: 

As defined in a report that we issued in May 2004,[Footnote 6] data 
mining is the application of database technology and techniques--such 
as statistical analysis and modeling--to uncover hidden patterns and 
subtle relationships in data and to infer rules that allow for the 
prediction of future results. This definition is based on the most 
commonly used terms found in a survey of the technical literature. 

Data mining has been used successfully for a number of years in the 
private and public sectors in a broad range of applications. In the 
private sector, these applications include customer relationship 
management, market research, retail and supply chain analysis, medical 
analysis and diagnostics, financial analysis, and fraud detection. In 
the government, data mining has been used to detect financial fraud and 
abuse. For example, we used data mining to identify fraud and abuse in 
expedited assistance and other disbursements to Hurricane Katrina 
victims.[Footnote 7] 

Although the characteristics of data mining efforts can vary greatly, 
data mining generally incorporates three processes: data input, data 
analysis, and results output. In data input, data are collected in a 
central data "warehouse," validated, and formatted for use in data 
mining. In the data analysis phase, data are typically queried to find 
records that match topics of interest. The two most common types of 
queries are pattern-based queries and subject-based queries: 

² Pattern-based queries search for data elements that match or depart 
from a predetermined pattern (e.g., unusual claim patterns in an 
insurance program). 

² Subject-based queries search for any available information on a 
predetermined subject using a specific identifier. This could be 
personal information such as an individual identifier (e.g., an 
individual's name or Social Security number) or an identifier for a 
specific object or location. For example, the Navy uses subject-based 
data mining to identify trends in the failure rate of parts used in its 
ships. 

The data analysis phase can be iterative, with the results of one query 
being used to refine criteria for a subsequent query. The output phase 
can produce results in printed or electronic format. These reports can 
be accessed by agency personnel and can also be shared with personnel 
from other agencies. Figure 1 depicts a generic data mining process. 

Figure 1: An Overview of the Data Mining Process: 

[See PDF for image] 

Source: GAO, adapted from Vipin Kumar and Mohammed J. Zaki. 

[End of figure] 

In recent years, data mining has emerged as a prevalent government 
mechanism for processing and analyzing large amounts of data. In our 
May 2004 report, we noted that 52 agencies were using or were planning 
to use data mining in 199 cases, of which 68 were planned, and 131 were 
operational. Additionally, following the terrorist attacks of September 
11, 2001, data mining has been used increasingly as a tool to help 
detect terrorist threats through the collection and analysis of public 
and private sector data. This may include tracking terrorist 
activities, including money transfers and communications, and tracking 
terrorists themselves through travel and immigration records. According 
to an August 2006 DHS Office of Inspector General survey of 
departmental data mining initiatives,[Footnote 8] DHS is using or 
developing 12 data mining programs, 9 of which are fully operational 
and 3 of which are still under development. 

One such effort is the ADVISE technology program. Managed by the DHS 
Science and Technology Directorate,[Footnote 9] the ADVISE program is 
primarily responsible for (1) continuing to develop the ADVISE data 
mining tool and (2) promoting and supporting its implementation 
throughout DHS. According to program officials, it has spent 
approximately $40 million to develop the tool since 2003. 

To promote the possible implementation of the tool within DHS component 
organizations, program officials have made demonstrations (using 
unclassified data) to interested officials, highlighting the tool's 
planned capabilities and expected benefits. Program officials have 
established working relationships with component organizations that are 
considering adopting the tool, including detailing them staff 
(typically contractor-provided) to assist in the setup and 
customization of their ADVISE implementation and providing training for 
the analysts who are to use it. 

Program officials project that implementation of the tool at a 
component organization should generally consist of six main phases and 
take approximately 12 to 18 months to complete. The six phases are as 
follows: 

² preparing infrastructure and installing hardware and software; 

² modeling information sources and loading data; 

² verifying and validating that loaded data are accurate and 
accessible; 

² training and familiarizing analysts and assisting in the development 
of initial research activities using visualization tools; 

² supporting analysts in identifying the best ways to use ADVISE for 
their problems, obtaining data, and developing ideas for further 
improvements; and: 

² turning over deployment to the component organizations to maintain 
the system and its associated data feeds. 

The program has also provided initial funding for the setup, 
customization, and pilot testing of implementations within components, 
under the assumption that when an implementation achieves operational 
status, the respective component will take over operations and 
maintenance costs. Program officials estimate that the tool's 
operations and maintenance costs will be approximately $100,000 per 
year, per analyst. The program has also offered additional support to 
components implementing the tool, such as helping them develop privacy 
compliance documentation. According to DHS officials, the program has 
spent $12.15 million of its $40 million in support of several pilot 
projects and test implementations throughout the department. 

Currently, the department's Interagency Center for Applied Homeland 
Security Technologies (ICAHST) group within the Science and Technology 
Directorate is testing the tool's effectiveness, adequacy, and cost- 
effectiveness as a data mining technology. ICAHST has completed 
preliminary testing of basic functionality and is currently in the 
process of testing the system's effectiveness, using mock data to test 
how well ADVISE identifies specified patterns of interest. 

Privacy Concerns Have Been Raised Regarding Data Mining: 

The impact of computer systems on the ability of organizations to 
protect personal information was recognized as early as 1973, when a 
federal advisory committee on automated personal data systems observed 
that "The computer enables organizations to enlarge their data 
processing capacity substantially, while greatly facilitating access to 
recorded data, both within organizations and across boundaries that 
separate them." In addition, the committee concluded that "The net 
effect of computerization is that it is becoming much easier for record-
keeping systems to affect people than for people to affect record-
keeping systems."[Footnote 10] 

In May 2004, we reported that mining government and private databases 
containing personal information creates a range of privacy 
concerns.[Footnote 11] Through data mining, agencies can quickly and 
efficiently obtain information on individuals or groups by searching 
large databases containing personal information aggregated from public 
and private records. Information can be developed about a specific 
individual or a group of individuals whose behavior or characteristics 
fit a specific pattern. The ease with which organizations can use 
automated systems to gather and analyze large amounts of previously 
isolated information raises concerns about the impact on personal 
privacy. 

Further, we reported in August 2005[Footnote 12] that although agencies 
responsible for certain data mining efforts took many of the key steps 
required by federal law and executive branch guidance for the 
protection of personal information, none followed all key procedures. 
Specifically, while three of the four agencies we reviewed had prepared 
privacy impact assessments (PIA)--assessments of privacy risks 
associated with information technology used to process personal 
information--for their data mining systems, none of them had completed 
a PIA that adequately addressed all applicable statutory requirements. 
We recommended that four agencies complete or revise PIAs for their 
systems to fully comply with applicable guidance. As of December 2006, 
three of the four agencies reported that they had taken action to 
complete or revise their PIAs. 

Federal Laws and Guidance Define Steps to Protect Privacy of Personal 
Information: 

Federal law includes a number of separate statutes that provide privacy 
protections for information used for specific purposes or maintained by 
specific types of entities. The major requirements for the protection 
of personal privacy by federal agencies come from two laws, the Privacy 
Act of 1974 and the privacy provisions of the E- Government Act of 
2002. The Office of Management and Budget (OMB) is tasked with 
providing guidance to agencies on how to implement the provisions of 
both laws and has done so, beginning with guidance on the Privacy Act, 
issued in 1975. 

The Privacy Act places limitations on agencies' collection, disclosure, 
and use of personal information maintained in systems of records. The 
act describes a "record" as any item, collection, or grouping of 
information about an individual that is maintained by an agency and 
contains his or her name or another personal identifier. It also 
defines "system of records" as a group of records under the control of 
any agency from which information is retrieved by the name of the 
individual or by an individual identifier. The Privacy Act requires 
that when agencies establish or make changes to a system of records, 
they must notify the public through a "system of records notice" that 
is, a notice in the Federal Register identifying, among other things, 
the type of data collected, the types of individuals about whom 
information is collected, the intended "routine" uses of data, and 
procedures that individuals can use to review and correct personal 
information.[Footnote 13] In addition, the act requires agencies to 
publish in the Federal Register notice of any new or intended use of 
the information in the system, and provide an opportunity for 
interested persons to submit written data, views, or arguments to the 
agency. 

Several provisions of the act require agencies to define and limit 
themselves to specific predefined purposes. For example, the act 
requires that to the greatest extent practicable, personal information 
should be collected directly from the subject individual when it may 
affect an individual's rights or benefits under a federal program. The 
act also requires that an agency inform individuals whom it asks to 
supply information of (1) the authority for soliciting the information 
and whether disclosure of such information is mandatory or voluntary; 
(2) the principal purposes for which the information is intended to be 
used; (3) the routine uses that may be made of the information; and (4) 
the effects on the individual, if any, of not providing the 
information. In addition, the act requires that each agency that 
maintains a system of records store only such information about an 
individual as is relevant and necessary to accomplish a purpose of the 
agency.  

Agencies are allowed to claim exemptions from some of the provisions of 
the Privacy Act if the records are used for certain purposes. For 
example, records compiled for criminal law enforcement purposes can be 
exempt from a number of provisions, including (1) the requirement to 
notify individuals of the purposes and uses of the information at the 
time of collection and (2) the requirement to ensure the accuracy, 
relevance, timeliness, and completeness of records. In general, the 
exemptions for law enforcement purposes are intended to prevent the 
disclosure of information collected as part of an ongoing investigation 
that could impair the investigation or allow those under investigation 
to change their behavior or take other actions to escape prosecution. 

The E-Government Act of 2002 strives to enhance protection for personal 
information in government information systems or information 
collections by requiring that agencies conduct PIAs. As described 
earlier, a PIA is an analysis of how personal information is collected, 
stored, shared, and managed in a federal system. More specifically, 
according to OMB guidance,[Footnote 14] a PIA is an analysis of how: 

...information is handled: (i) to ensure handling conforms to 
applicable legal, regulatory, and policy requirements regarding 
privacy; (ii) to determine the risks and effects of collecting, 
maintaining, and disseminating information in identifiable form in an 
electronic information system; and (iii) to examine and evaluate 
protections and alternative processes for handling information to 
mitigate potential privacy risks. 

Agencies must conduct PIAs before (1) developing or procuring 
information technology that collects, maintains, or disseminates 
information that is in a personally identifiable form or (2) initiating 
any new data collections involving personal information that will be 
collected, maintained, or disseminated using information technology if 
the same questions are asked of 10 or more people. OMB guidance also 
requires agencies to conduct PIAs in two specific types of situations: 
(1) when, as a result of the adoption or alteration of business 
processes, government databases holding information in personally 
identifiable form are merged, centralized, matched with other 
databases, or otherwise significantly manipulated and (2) when agencies 
work together on shared functions involving significant new uses or 
exchanges of information in personally identifiable form.[Footnote 15] 

DHS has also developed its own guidance[Footnote 16] requiring PIAs to 
be performed when one of its offices is developing or procuring any new 
technologies or systems, including classified systems, that handle or 
collect personally identifiable information. It also requires that PIAs 
be performed before pilot tests are begun for these systems or when 
significant modifications are made to them. Furthermore, DHS has 
prescribed detailed requirements for PIAs. For example, PIAs must 
describe all uses of the information, and whether the system analyzes 
data in order to identify previously unknown patterns or areas of note 
or concern. 

Fair Information Practices: 

The Privacy Act of 1974 is largely based on a set of internationally 
recognized principles for protecting the privacy and security of 
personal information known as the Fair Information Practices. A U.S. 
government advisory committee first proposed the practices in 1973 to 
address what it termed a poor level of protection afforded to privacy 
under contemporary law[Footnote 17]. The Organization for Economic 
Cooperation and Development (OEC[Footnote 18]D) developed a revised 
version of the Fair Information Practices in 1980 that has, with some 
variation, formed the basis of privacy laws and related policies in 
many countries, including the United States, Germany, Sweden, 
Australia, New Zealand, and the European Uni[Footnote 19]on. The eight 
principles of the OECD Fair Information Practices are shown in table 1. 

Table 1: Fair Information Practices: 

Principle: Collection limitation; 
Description: The collection of personal information should be limited, 
should be obtained by lawful and fair means, and, where appropriate, 
with the knowledge or consent of the individual. 

Principle: Data quality; 
Description: Personal information should be relevant to the purpose for 
which it is collected, and should be accurate, complete, and current as 
needed for that purpose. 

Principle: Purpose specification; 
Description: The purposes for the collection of personal information 
should be disclosed before collection and upon any change to that 
purpose, and its use should be limited to those purposes and compatible 
purposes. 

Principle: Use limitation; 
Description: Personal information should not be disclosed or otherwise 
used for other than a specified purpose without consent of the 
individual or legal authority. 

Principle: Security safeguards; 
Description: Personal information should be protected with reasonable 
security safeguards against risks such as loss or unauthorized access, 
destruction, use, modification, or disclosure. 

Principle: Openness; 
Description: The public should be informed about privacy policies and 
practices, and individuals should have ready means of learning about 
the use of personal information. 

Principle: Individual participation; 
Description: Individuals should have the following rights: to know 
about the collection of personal information, to access that 
information, to request correction, and to challenge the denial of 
those rights. 

Principle: Accountability; 
Description: Individuals controlling the collection or use of personal 
information should be accountable for taking steps to ensure the 
implementation of these principles. 

Source: OECD. 

[End of table] 

The Fair Information Practices are not precise legal requirements. 
Rather, they provide a framework of principles for balancing the need 
for privacy with other public policy interests, such as national 
security, law enforcement, and administrative efficiency. Ways to 
strike that balance vary among countries and according to the type of 
information under consideration. 

ADVISE Is Intended to Help Identify Patterns of Interest to Homeland 
Security Analysts: 

ADVISE is a data mining tool under development that is intended to 
facilitate the analysis of large amounts of data. It is designed to 
accommodate both structured data (such as information in a database) 
and unstructured data (such as e-mail texts, reports, and news 
articles) and to allow an analyst to search for patterns in data, 
including relationships among entities (such as people, organizations, 
and events) and to produce visual representations of these patterns, 
referred to as semantic graphs. Although none are fully operational, 
DHS's planned uses of this tool include implementations at several 
departmental components, including Immigration and Customs Enforcement 
and other components. DHS is also considering further deployments of 
ADVISE. The intended benefit of the ADVISE tool is to help detect 
activities that threaten the United States by facilitating the analysis 
of large amounts of data that otherwise would be prohibitively 
difficult to review. DHS is currently in the process of testing the 
tool's effectiveness. 

The ADVISE Tool Provides Analytical Capabilities Intended to Identify 
Patterns of Interest to DHS Analysts: 

ADVISE provides several capabilities that help to find and track 
relationships in data. These include graphically displaying the results 
of searches and providing automated alerts when predefined patterns of 
interest emerge in the data. The tool consists of three main elements-
-the Information Layer, Knowledge Layer, and Application Layer 
(depicted in fig. 2). 

Figure 2: Major Elements and Functions of ADVISE: 

[See PDF for image] 

Source: DHS. 

[End of figure] 

Information Layer: 

At the Information Layer, disparate data are brought into the tool from 
various sources. These data sources can be both structured (such as 
computerized databases and watch lists) and unstructured (such as news 
feeds and text reports). For structured data, ADVISE contains software 
applications that load the data into the Information Layer and format 
it to conform to a specific predefined data structure, known as an 
ontology. Generally speaking, ontologies define entities (such as a 
person or place), attributes (such as name and address), and the 
relationships among them. 

For unstructured data, ADVISE includes several tools that extract 
information about entities and attributes. As with structured data, the 
output of these analyses is formatted and structured according to an 
ontology. Tagging information as specific entities and attributes is 
more difficult with unstructured data, and ADVISE includes tools that 
allow analysts to manually identify entities, attributes, and 
relationships among them. According to DHS officials, research is 
continuing on developing efficient and effective mechanisms for 
inputting different forms of unstructured data. 

ADVISE can also include information about the data--known as 
"metadata"--such as the time period to which the data pertain and 
whether the data refer to a U.S. person. ADVISE metadata also include 
confidence attributes, ranging from 1 to -1, which represent subjective 
assessments of the accuracy of the data. Each data source has a 
predefined confidence attribute. Analysts can change the confidence 
attribute of specific data, but changes to confidence levels are 
tracked and linked to the analysts making the changes. 

Knowledge Layer: 

At the Knowledge Layer, facts and relationships from the Information 
Layer are consolidated into a large-scale semantic graph and various 
subgraphs. Semantic graphing is a data modeling technique that uses a 
combination of "nodes," representing specific entities, and connecting 
lines, representing the relationships among them. Because they are well-
suited to representing data relationships and linkages, semantic graphs 
have emerged as a key technology for consolidating and organizing 
disparate data. Figure 3 represents the format that a typical semantic 
graph could take. The Knowledge Layer contains the semantic graph of 
all facts reported through the Information Layer interface and 
organized according to the ontology. 

Figure 3: Typical Semantic Graph: 

[See PDF for image] 

Source: GAO. 

[End of figure] 

The Knowledge Layer also includes the capability to provide automatic 
alerts to analysts when patterns of interest (or partial patterns) are 
matched by new incoming information. 

Application Layer: 

At the Application Layer, analysts are able to interact with the data 
that reside in the Knowledge Layer. The Application Layer contains 
tools that allow analysts to perform both pattern-based and subject- 
based queries and to search for data that match a specific pattern, as 
well as data that are connected with a specific entity. For example, 
analysts could search for all of the individuals who have traveled to a 
certain destination within a given period of time, or they could search 
for all information connected with a particular person, place, or 
organization. The resulting output of these searches is then 
graphically displayed via semantic graphs. 

ADVISE's Application Layer also provides several other capabilities 
that allow for the further examination and adjustment of its output. An 
analyst can pinpoint nodes on a semantic graph to view and examine 
additional information related to them, including the source from which 
the information and relationships are derived, the data source's 
confidence level, and whether the data pertain to U.S. persons. 

The ADVISE Application Layer also provides analysts the ability to 
monitor patterns of interest in the data. Science and Technology 
Directorate staff work with component staff to define patterns of 
interest and build an inventory of automated searches. These patterns 
are continuously being monitored in the data, and an alert is provided 
whenever there is a match. For example, an analyst could define a 
pattern of interest as "all individuals traveling from the United 
States to the Middle East in the next 6 months" and have the ADVISE 
tool provide an alert whenever this pattern emerges in the data. 

ADVISE Is Expected to Benefit DHS by Helping to Detect Potentially 
Threatening Activities: 

The current planned uses of the ADVISE tool include implementations at 
several DHS components that are planning to use it in a variety of 
homeland security applications to further their respective 
organizational missions. Currently none of these implementations is 
fully operational or widely accessible to DHS analysts. Rather, they 
are all still in various phases of systems development. These 
applications are expected to use the tool primarily to help analysts 
detect threats to the United States, such as identifying activities 
and/or individuals that could be associated with terrorism. 

The intended benefit of the ADVISE tool is to consolidate large amounts 
of structured and unstructured data and permit their analysis and 
visualization. The tool could thus assist analysts to identify and 
monitor patterns of interest that could be further investigated and 
might otherwise have been missed. 

None of the DHS components have fully implemented the tool in 
operational systems and, as discussed earlier, testing of the tool is 
still under way. Until such testing is complete and component 
implementations are fully operational, the intended benefit remains 
largely potential. 

DHS Has Not Yet Addressed Key Privacy Risks Associated with Expected 
Uses of the ADVISE Tool: 

Use of the ADVISE tool raises a number of privacy concerns. DHS has 
added security controls to the ADVISE tool, including access 
restrictions, authentication procedures, and security auditing 
capability. However, it has not assessed privacy risks. Privacy risks 
that could apply to ADVISE include the potential for erroneous 
association of individuals with crime or terrorism through data that 
are not accurate for that purpose, the misidentification of individuals 
with similar names, and the use of data that were collected for other 
purposes. A PIA would determine the privacy risks associated with 
ADVISE and help officials determine what specific controls are needed 
to mitigate those risks. Although department officials believe a PIA is 
not needed given that the ADVISE tool itself does not contain personal 
data, the E-Government Act of 2002 and related federal guidance require 
the completion of PIAs from the early stages of development. Further, 
if a PIA were conducted and privacy risks identified, a number of 
controls exist that could be built into the tool to mitigate those 
risks. For example, controls could be implemented to ensure that 
personal information is used only for a specified purpose or compatible 
purposes, or they could provide the capability to distinguish among 
individuals that have similar names (a process known as disambiguation) 
to address the risk of misidentification. Because privacy risks such as 
these have not been assessed and decisions about mitigating controls 
have not been made, DHS faces the likelihood that system 
implementations based on the tool may require costly and potentially 
duplicative retrofitting at a later date to add the needed controls. 

Potential Privacy Concerns Arise with the Use of the ADVISE Tool to 
Process Personal Information: 

Like other data mining applications, the use of the ADVISE tool in 
conjunction with personal information raises concerns about a number of 
privacy risks that could potentially have an adverse impact on 
individuals. As the DHS Privacy Office's July 2006 report on data 
mining activities notes, "privacy and civil liberties issues 
potentially arise in every phase of the data mining process."[Footnote 
20] 

Potential privacy risks can be categorized in relation to the Fair 
Information Practices, which, as discussed earlier, form the basis for 
privacy laws such as the Privacy Act. For example, the potential for 
personal information to be improperly accessed or disclosed relates to 
the security safeguards principle, which states that personal 
information should be protected against risks such as loss or 
unauthorized access, destruction, use, modification, or disclosure. 
Further, the potential for individuals to be misidentified or 
erroneously associated with inappropriate activities is inconsistent 
with the data quality principle that personal data should be accurate, 
complete, and current, as needed for a given purpose. Similarly, the 
risk that information could be used beyond the scope originally 
specified is based on the purpose specification and use limitation 
principles, which state that, among other things, personal information 
should only be collected and used for a specific purpose and that such 
use should be limited to the specified purpose and compatible purposes. 

Like other data mining applications, the ADVISE tool could misidentify 
or erroneously associate an individual with undesirable activity such 
as fraud, crime, or terrorism--a result known as a false positive. 
False positives may be the result of poor data quality, or they could 
result from the inability of the system to distinguish among 
individuals with similar names. Data quality, the principle that data 
should be accurate, current, and complete as needed for a given 
purpose, could be particularly difficult to ensure with regard to 
ADVISE because the tool brings together multiple, disparate data 
sources, some of which may be more accurate for the analytical purpose 
at hand than others. If data being analyzed by the tool were never 
intended for such a purpose or are not accurate for that purpose, then 
conclusions drawn from such an analysis would also be erroneous. 

Another privacy risk is the potential for use of the tool to extend 
beyond the scope of what it was originally designed to address, a 
phenomenon commonly referred to as function or mission "creep." Because 
it can facilitate a broad range of potential queries and analyses and 
aggregate large quantities of previously isolated pieces of 
information, ADVISE could produce aggregated, organized information 
that organizations could be tempted to use for purposes beyond that 
which was originally specified when the information was collected. The 
risks associated with mission creep are relevant to the purpose 
specification and use limitation principles. 

DHS Has Implemented Security Controls but Has Not Yet Assessed Privacy 
Risks: 

To address security, DHS has included several types of controls in 
ADVISE. These include authentication procedures, access controls, and 
security auditing capability. For example, an analyst must provide a 
valid user name and password in order to gain access to the tool. 
Further, upon gaining access, only users with appropriate security 
clearances may view sensitive data sets. Each service requested by a 
user--such as issuing a query or retrieving a document--is checked 
against the user's credentials and access authorization before it is 
provided. In addition, these user requests and the tool's responses to 
them are all recorded in an audit log. 

While inclusion of controls such as these is a key step in guarding 
against unauthorized access, use, disclosure, or modification, such 
controls alone do not address the full range of potential privacy 
risks. The need to evaluate such risks early in the development of 
information technology is consistently reflected in both law (the E- 
Government Act of 2002) and related federal guidance. The E-Government 
Act requires that a PIA be performed before an agency develops or 
procures information technology that collects, maintains, or 
disseminates information in a personally identifiable form. Further, 
both OMB and DHS PIA guidance emphasize the need to assess privacy 
risks from the early stages of development.[Footnote 21] 

However, although DHS officials are considering performing a PIA, no 
PIA or other privacy risk assessment has yet been conducted. The DHS 
Privacy Office[Footnote 22] instructed the Science and Technology 
Directorate that a PIA was not required because the tool alone did not 
contain personal data.[Footnote 23] According to the Privacy Office 
rationale, only specific system implementations based on ADVISE that 
contained personal data would likely require PIAs, and only at the time 
they first began to use such data. However, guidance on conducting PIAs 
makes it clear that they should be performed at the early stages of 
development. OMB's PIA guidance requires PIAs at the IT development 
stage, stating that they "should address the impact the system will 
have on an individual's privacy, specifically identifying and 
evaluating potential threats relating to elements identified [such as 
the nature, source, and intended uses of the information] to the extent 
these elements are known at the initial stages of development." 
Regarding ADVISE, the tool's intended uses include applications 
containing personal information. Thus the requirement to conduct a PIA 
from the early stages of development applies. 

As of November 2006, the ADVISE program office and DHS Privacy Office 
were in discussions regarding the possibility of conducting a privacy 
assessment similar to a PIA but modified to address the development of 
a technological tool. No final decision has yet been made on whether or 
how to proceed with a PIA. However, until such an assessment is 
performed, DHS cannot be assured that privacy risks have been 
identified or will be mitigated for system implementations based on the 
tool. 

Privacy Protection Controls to Mitigate Identified Risks Exist and 
Could Be Built into ADVISE: 

A variety of privacy controls can be built into data mining software 
applications, including the ADVISE tool, to help mitigate risks 
identified in PIAs and protect the privacy of individuals whose 
information may be processed. DHS has recognized the importance of 
implementing such privacy protections when data mining applications are 
being developed. Specifically, in its July 2006 report, the DHS Privacy 
Office recommended instituting controls for data mining activities that 
go beyond conducting PIAs and implementing standard security controls. 
Such measures could be applied to the development of the ADVISE 
tool.[Footnote 24] Among other things, the DHS Privacy Office 
recommended that DHS components use data mining tools principally as 
investigative tools and not as a means of making automated decisions 
regarding individuals.[Footnote 25] The report also emphasizes that 
data mining should produce accurate results and recommends that DHS 
adopt data quality standards for data used in data mining. Further, the 
report recommends that data mining projects give explicit consideration 
to using anonymized data when personally identifiable information is 
involved. Although some of the report's recommendations may apply only 
to operational data mining activities, many reflect system 
functionalities that can be addressed during technology development. 

Based on privacy risks identified in a PIA, controls exist that could 
be implemented in ADVISE to mitigate those risks. For example, controls 
could be implemented to enforce use limitations associated with the 
purpose specified when the data were originally collected. 
Specifically, software controls could be implemented that require an 
analyst to specify an allowable purpose and check that purpose against 
the specified purposes of the databases being accessed. 

Regarding data quality risks, the ADVISE tool currently does not have 
the capability to distinguish among individuals with similar 
identifying information, nor does it have a mechanism to assess the 
accuracy of the relationships it uncovers. To address the risk of 
misidentification, software could be added to the tool to distinguish 
among individuals that have similar names, a process known as 
disambiguation. Disambiguation tools have been developed for other 
applications. Additionally, although the ADVISE tool includes a feature 
that allows analysts to designate confidence levels for individual 
pieces of data, no mechanism has been developed to assess the 
confidence of relationships identified by the tool. While software 
specifically to determine data quality would be difficult to develop, 
other controls exist that could be readily used as part of a strategy 
for mitigating this risk. For example, anonymization could be used to 
minimize the exposure of personal data, and operational procedures 
could be developed to restrict the use of analytical results containing 
personal information that could have data quality concerns. To 
implement anonymization, the tool would need the software capability to 
handle anonymized data or have a built-in data anonymizer. DHS 
currently does not have plans to build anonymization into the ADVISE 
tool.[Footnote 26] 

Until a PIA that identifies the privacy risks of ADVISE is conducted 
and privacy controls to mitigate those risks are implemented, DHS faces 
the risk that privacy concerns will arise during implementation of 
systems based on ADVISE that may be more difficult to address at that 
stage and possibly require costly retrofitting. 

Conclusions: 

The ADVISE tool is intended to provide the capability to ingest large 
amounts of data from multiple sources and to display relationships that 
can be discerned within the data. Although the ADVISE tool has not yet 
been fully implemented and its effectiveness is still being evaluated, 
the chief intended benefit is to help detect activities threatening to 
the United States by facilitating the analysis of large amounts of 
data. 

The ADVISE tool incorporates security controls intended to protect the 
information it processes from unauthorized access. However, because 
ADVISE is intended to be used in ways that are likely to involve 
personal data, a range of potential privacy risks could be involved in 
its operational use. Thus, it is important that those risks be 
assessed--through a PIA--so that additional controls can be established 
to mitigate them. However, DHS has not yet conducted a PIA, despite the 
fact that the E-Government Act and related OMB and DHS guidance 
emphasize the need to assess privacy risks early in systems 
development. Although DHS officials stated that they believe a PIA is 
not required because the tool alone does not contain personal data, 
they also told us they are considering conducting a modified PIA for 
the tool. Until a PIA is conducted, little assurance exists that 
privacy risks have been rigorously considered and mitigating controls 
established. If controls are not addressed now, they may be more 
difficult and costly to retrofit at a later stage. 

Recommendations for Executive Action: 

To ensure that privacy protections are in place before DHS proceeds 
with implementations of systems based on ADVISE, we recommend that the 
Secretary of Homeland Security take the following two actions: 

² immediately conduct a privacy impact assessment of the ADVISE tool to 
identify privacy risks, such as those described in this report, and: 

² implement privacy controls to mitigate potential privacy risks 
identified in the PIA. 

Agency Comments and Our Evaluation: 

We received oral and written comments on a draft of this report from 
the DHS Departmental GAO/Office of Inspector General Liaison Office. 
(Written comments are reproduced in appendix II.) DHS officials 
generally agreed with the content of this report and described actions 
initiated to address our recommendations. DHS also provided technical 
comments, which have been incorporated in the final report as 
appropriate. 

In its comments DHS emphasized the fact that the ADVISE tool itself 
does not contain personal data and that each deployment of the tool 
will be reviewed through the department's privacy compliance process, 
including, as applicable, development of a PIA and a system of records 
notice. DHS further stated that it is currently developing a "Privacy 
Technology Implementation Guide" to be used to conduct a PIA for 
ADVISE. Although we have not reviewed the guide, it appears to be a 
positive step toward developing a PIA process to address technology 
tools such as ADVISE. 

It is not clear from the department's response whether the privacy 
controls identified based on applying the Privacy Technology 
Implementation Guide to ADVISE are to be incorporated into the tool 
itself. We believe that any controls identified by a PIA to mitigate 
privacy risks should be implemented, to the extent possible, in the 
tool itself. Specific development efforts that use the tool will then 
have these integrated controls readily available, thus reducing the 
potential for added costs and technical risks. The department also 
requested that we change the wording of our recommendation; however, we 
have retained the wording in our draft report because it clearly 
emphasizes the need to incorporate privacy controls into the ADVISE 
tool itself. 

As agreed with your office, unless you publicly announce the contents 
of this report earlier, we plan no further distribution until 30 days 
from the report date. At that time, we will send copies of this report 
to the Secretary of Homeland Security and other interested 
congressional committees. Copies will be made available to others on 
request. In addition, this report will be available at no charge on our 
Web site at www.gao.gov. 

If you have any questions concerning this report, please call me at 
(202) 512-6240 or send e-mail to koontzl@gao.gov. Contact points for 
our Offices of Congressional Relations and Public Affairs may be found 
on the last page of this report. Key contributors to this report are 
listed in appendix III. 

Sincerely yours, 

Signed by: 

Linda D. Koontz: 
Director, Information Management Issues: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

Our objectives were to determine the following: 

² the planned capabilities, uses, and associated benefits of the 
Analysis Dissemination, Visualization, Insight, and Semantic 
Enhancement (ADVISE) tool and: 

² whether potential privacy issues could arise from using the ADVISE 
tool to process personal information and how the Department of Homeland 
Security (DHS) has addressed any such issues. 

To address our first objective, we identified and analyzed the tool's 
capabilities, planned uses, and associated benefits. We reviewed 
program documentation, including annual program execution plans, and 
interviewed agency officials responsible for managing and implementing 
the program, including officials from the DHS Science and Technology 
Directorate and the Lawrence Livermore and Pacific Northwest National 
Laboratories. We also viewed a demonstration of the tool's semantic 
graphing capability. In addition, we interviewed officials at DHS 
components to identify their current or planned uses of ADVISE, the 
progress of their implementations, and the benefits they hope to gain 
from using the tool. These components included Immigrations and Customs 
Enforcement and other components. We also interviewed officials from 
the Interagency Center of Applied Homeland Security Technology 
(ICAHST), who are responsible for conducting testing of the tool's 
capabilities. We also visited ICAHST at the John Hopkins Applied 
Physics Laboratory in Laurel, Maryland, to view a demonstration of its 
testing activities. We did not conduct work or review implementations 
of ADVISE at the DHS Office of Intelligence and Analysis. 

To address our second objective, we identified potential privacy 
concerns that could arise from using the ADVISE tool by reviewing 
relevant reports, including prior GAO reports and the DHS Privacy 
Office 2006 report on data mining. We identified and analyzed DHS 
actions to comply with the Privacy Act of 1974 and the E-Government Act 
of 2002. We interviewed technical experts within the DHS Science and 
Technology Directorate and personnel responsible for implementing 
ADVISE at DHS components to assess privacy controls included in the 
ADVISE tool. We also interviewed officials from the DHS Privacy Office. 
We performed our work from June 2006 to December 2006 in the 
Washington, D.C., metropolitan area. Our work was performed in 
accordance with generally accepted government auditing standards. 

[End of section] 

Appendix II: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

February 2, 2007: 

Ms. Linda D. Koontz: 
Director, Information Management Issues: 
U.S. Government Accountability Office: 
Washington, D. C. 20548: 

Dear Ms. Koontz: 

Thank you for the opportunity to comment on the draft report GAO-07-293 
"Datamining: Early Attention to Privacy in Developing a Key DHS Program 
Could Reduce Risks". In this draft report, GAO recommends that "the 
Secretary of Homeland Security immediately conduct a privacy impact 
assessment (PIA) of the ADVISE tool and implement privacy controls as 
needed to mitigate any identified risks" to ensure that privacy 
protections are in place.  

The ADVISE toolset is a set of generic IT tools and does not in itself 
collect or use any data. The individual ADVISE tools could be combined 
to create specific systems which would be designed to support specific 
operational needs. Each of these deployments of the ADVISE toolset 
would be reviewed and reported through the DHS privacy compliance 
process and documented in the Privacy Threshold Analysis (PTA) and, as 
applicable, the Privacy Impact Assessment (PIA) and System of Records 
Notice (SORN). 

Within DHS, the term "Privacy Impact Assessment" refers to two separate 
and related functions. The first is the PIA activity of assessing a 
technology, program, etc. for potential privacy impacts. The second is 
the PIA report that documents the results of that assessment activity. 
The distinctions between these two meanings of the term may help to 
clarify DHS's approach to assessing the potential privacy impacts of 
the ADVISE toolset. 

The DHS Privacy Impact Assessment form (the report) is designed for 
operational systems and is not well suited to open-ended toolsets like 
ADVISE. In conducting the privacy impact assessment (the activity) DHS 
decided that a different type of document would better fit the nature 
of the ADVISE toolset. Rather than using a descriptive reporting 
document, DHS is using a proscriptive guidance document that is 
tailored to the specific nature of the ADVISE toolset. This guidance 
document is called a "Privacy Technology Implementation Guide" and is 
currently being developed by the DHS Privacy Office. 

The Privacy Technology Implementation Guide is more adaptable to 
technology frameworks like ADVISE and provides guidance as to how the 
individual ADVISE tools could be implemented in privacy protective 
ways. System Developers building specific implementations of ADVISE can 
use the Guide to build privacy protections into the systems as part of 
the development process. The flexibility of the Privacy Technology 
Implementation Guide allows for integrated privacy protection in all 
uses of the ADVISE tools and will be complemented by Privacy Impact 
Assessment documents for operational deployments (individual systems). 

The current draft of the Privacy Technology Implementation Guide for 
ADVISE is organized into two sections. The first section identifies 
privacy protections related to the general nature of ADVISE as a set of 
tools and recommends that the same privacy protections related to 
datamining be applied to ADVISE. This first section further recommends 
that the value and limitations of ADVISE tools be specifically 
identified and matched to the purpose and success measures of the 
specific DHS mission the tool would be implemented to support. The 
second section is organized by the technology architecture (information 
layer, knowledge layer, security layer, application layer) and offers 
specific guidance for integrating privacy protection into the use of 
the tools from each of these architectural components. 

The privacy impact assessment activity led to the determination that a 
new type of document would further assist in building privacy 
protections into technology. The Privacy Technology Implementation 
Guide is that new type of documentation and is being developed to 
accompany the toolset itself. The expected result is that as technology 
developers decide that the ADVISE toolset could be used to meet a 
particular DHS need, they receive privacy technology guidance along 
with the toolset to assist in building privacy protections into the 
system from the beginning. DHS will continue to use the suite of 
privacy compliance documents (PTA, PIA, SORN) to report on the 
potential privacy impacts and integrated privacy protections for each 
individual systems. 

Requested change to GAO recommendation: 

Based on the above, DHS requests that GAO revise its recommendations to 
read: 

"To ensure that privacy protections are integrated into the development 
process, the Secretary of Homeland Security should create privacy 
controls for the ADVISE toolset to guide specific development efforts 
and conduct a privacy impact assessment for each ADVISE deployment to 
ensure those controls are implemented and effective." 

Two additional edits: 

* Page 21, Table 2: Please remove the ICE "implementation." DHS is only 
engaged in early discussion and no implementation is currently planned. 

* Page 26: The report seems to suggest that ADVISE provides an 
automated means for making decisions regarding individuals. DHS would 
like to clarify that ADVISE is an aid for analysts in identifying 
relationships and patterns of interest. ADVISE is an analysis tool an 
not a decision- making tool. The tool itself does not make decisions. 

DHS appreciates GAO's work in planning, conducting and issuing this 
report and for the opportunity to review the draft. 

Sincerely, 

Signed by: 

Steven J. Pecinovsky:  
Director, Departmental GAO/OIG Liaison Office: 

[End of section] 

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Linda D. Koontz, (202) 512-6240 or koontzl@gao.gov: 

Staff Acknowledgments: 

In addition to the individual named above, John de Ferrari, Assistant 
Director; Idris Adjerid; Nabajyoti Barkakati; Barbara Collier; David 
Plocher; and Jamie Pressman made key contributions to this report. 

FOOTNOTES 

[1] For purposes of this report, the term personal information 
encompasses all information associated with an individual, including 
both identifying and nonidentifying information. Personally identifying 
information, which can be used to locate or identify an individual, 
includes things such as names, aliases, and agency-assigned case 
numbers. 

[2] A privacy impact assessment is an analysis of how personal 
information is collected, stored, shared, and managed in a federal 
system to ensure that privacy requirements are addressed. 

[3] These DHS components include Immigration and Customs Enforcement 
and other components. We also interviewed officials from the 
Interagency Center of Applied Homeland Security Technology, who are 
responsible for testing the tool's capabilities. ADVISE is also being 
used by the Office of Intelligence and Analysis. We did not review that 
application. 

[4] DHS, Data Mining Report: DHS Privacy Office Response to House 
Report 108-774 (July 6, 2006). 

[5] ADVISE is also being used by the Office of Intelligence and 
Analysis. We did not review that application. 

[6] GAO, Data Mining: Federal Efforts Cover a Wide Range of Uses, GAO-
04-548 (Washington, D.C.: May 4, 2004). 

[7] GAO, Expedited Assistance for Victims of Hurricane Katrina and 
Rita: FEMA's Control Weaknesses Exposed the Government to Significant 
Fraud and Abuse, GAO-06-403T (Washington, D.C.: Feb. 13, 2006). 

[8] DHS Office of Inspector General, Survey of DHS Data Mining 
Activities (August 2006). 

[9] The mission of the Science and Technology Directorate is to act as 
the primary research and development arm of DHS, providing federal, 
state, and local officials with the technology and capabilities to 
protect the United States homeland. 

[10] U.S. Department of Health, Education, and Welfare, Records, 
Computers and the Rights of Citizens: Report of the Secretary's 
Advisory Committee on Automated Personal Data Systems (Washington, 
D.C.: July 1973). 

[11] GAO-04-548. 

[12] GAO, Data Mining: Agencies Have Taken Key Steps to Protect Privacy 
in Selected Efforts, but Significant Compliance Issues Remain, GAO-05-
866 (Washington, D.C.: Aug. 15, 2005). 

[13] Under the Privacy Act of 1974, the term "routine use" means (with 
respect to the disclosure of a record) the use of such a record for a 
purpose that is compatible with the purpose for which it was collected. 
5 U.S.C. § 552a(a)(7). 

[14] OMB, Guidance for Implementing the Privacy Provisions of the E- 
Government Act of 2002, Memorandum M-03-22 (Washington, D.C.: Sept. 26, 
2003). 

[15] A PIA may not be required for all systems. For example, no 
assessment is required when the information collected relates to 
internal government operations, when the information has been 
previously assessed under an evaluation similar to a PIA, or when 
privacy issues are unchanged. 

[16] DHS Privacy Office, PIA Official Guidance (March 2006). 

[17] U.S. Department of Health, Education, and Welfare, Records, 
Computers and the Rights of Citizens: Report of the Secretary's 
Advisory Committee on Automated Personal Data Systems (Washington, 
D.C.: July 1973). 

[18] OECD, Guidelines on the Protection of Privacy and Transborder Flow 
of Personal Data (Sept. 23, 1980). The OECD plays a prominent role in 
fostering good governance in the public service and in corporate 
activity among its 30 member countries. It produces internationally 
agreed-upon instruments, decisions, and recommendations to promote 
rules in areas where multilateral agreement is necessary for individual 
countries to make progress in the global economy. 

[19] European Union Data Protection Directive ("Directive 95/46/EC of 
the European Parliament and of the Council of 24 October 1995 on the 
Protection of Individuals with Regard to the Processing of Personal 
Data and the Free Movement of Such Data") (1995). 

[20] DHS, Data Mining Report: DHS Privacy Office Response to House 
Report 108-774 (July 6, 2006), p. 12. 

[21] DHS PIA guidance states that "[t]he purpose of a PIA is to 
demonstrate that system owners and developers have consciously 
incorporated privacy protections throughout the entire life cycle of a 
system. This involves making certain that privacy protections are built 
into the system from the start, not after the fact when they can be far 
more costly or could affect the viability of the project." In addition, 
OMB guidance states that "[a]gencies should commence a PIA when they 
begin to develop a new or significantly modified IT system." 

[22] The DHS Privacy Office was created in response to the Homeland 
Security Act of 2002, Pub. L. No. 107-296, § 222, 116 Stat. 2155 (Nov. 
25, 2002). The Privacy Officer is responsible for, among other things, 
"assuring that the use of technologies sustain[s], and do[es] not erode 
privacy protections relating to the use, collection, and disclosure of 
personal information." 

[23] It is important to note the distinction between the PIA 
requirement, based on the E-Government Act, and the requirements of the 
Privacy Act. Because the ADVISE tool itself does not contain any data, 
it is not considered a system of records for purposes of the Privacy 
Act and thus is not subject to the requirements of that law. As ADVISE 
implementations move from development to operations, they may lead to 
the creation or modification of systems of records, which would require 
the development of appropriate privacy notices to be published in the 
Federal Register and other actions to protect privacy. 

[24] The Privacy Office's report states that ADVISE is a "technology" 
and not a data mining program. Accordingly, the report's 
recommendations ostensibly would not apply to ADVISE. However, the 
report acknowledges that uses of ADVISE may constitute data mining, in 
which case the recommendations would apply. 

[25] ADVISE does not provide an automated means for making decisions 
about individuals. Rather, it is an analysis tool to aid analysts in 
identifying relationships and patterns of interest. 

[26] In addition, a feature was to be implemented in January 2007 that 
would enforce an internal DHS rule regarding how long information about 
U.S. persons can be maintained in intelligence data bases. However, 
because this control is designed to respond only to the DHS rule--and 
not to identified privacy risks--it leaves potential concerns 
unaddressed about how personal information is used when it is 
maintained and processed by ADVISE. 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts 
newly released reports, testimony, and correspondence on its Web site. 
To have GAO e-mail you a list of newly posted products every afternoon, 
go to www.gao.gov and select "Subscribe to Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 441 G Street NW, Room LM 
Washington, D.C. 20548: 

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 
512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S. 
Government Accountability Office, 441 G Street NW, Room 7125 
Washington, D.C. 20548: 

Public Affairs: 

Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800 
U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, D.C. 20548: