Homeland Security
Continuing Attention to Privacy Concerns is Needed as Programs Are Developed Gao ID: GAO-07-630T March 21, 2007Advances in information technology make it easier than ever for the Department of Homeland Security (DHS) and other agencies to obtain and process information about citizens and residents in many ways and for many purposes. The demands of the war on terror also drive agencies to extract as much value as possible from the information available to them, adding to the potential for compromising privacy. Recognizing that securing the homeland and protecting the privacy rights of individuals are both important goals, the Congress has asked GAO to perform several reviews of DHS programs and their privacy implications over the past several years. For this hearing, GAO was asked to testify on key privacy challenges facing DHS. To address this issue, GAO identified and summarized issues raised in its previous reports on privacy and assessed recent governmentwide privacy guidance.
As it develops and participates in important homeland security activities, DHS faces challenges in ensuring that privacy concerns are addressed early, are reassessed when key programmatic changes are made, and are thoroughly reflected in guidance on emerging technologies and uses of personal data. GAO's reviews of DHS programs have identified cases where these challenges were not fully met. For example, increased use by federal agencies of data mining--the analysis of large amounts of data to uncover hidden patterns and relationships--has been accompanied by uncertainty regarding privacy requirements and oversight of such systems. As described in a recent GAO report, DHS did not assess privacy risks in developing a data mining tool known as ADVISE (Analysis, Dissemination, Visualization, Insight, and Semantic Enhancement), as required by the E-Government Act of 2002. ADVISE is a data mining tool under development intended to help the department analyze large amounts of information. Because privacy had not been assessed and mitigating controls had not been implemented, DHS faced the risk that uses of ADVISE in systems containing personal information could require costly and potentially duplicative retrofitting at a later date to add the needed controls. GAO has also reported on privacy challenges experienced by DHS in reassessing privacy risks when key programmatic changes were made during development of a prescreening program for airline passengers. The Transportation Security Administration (TSA) has been working to develop a computer-assisted passenger prescreening system, known as Secure Flight, to be used to evaluate passengers before they board an aircraft on domestic flights. GAO reported that TSA had not fully disclosed uses of personal information during testing of Secure Flight, as required by the Privacy Act of 1974. To prevent such problems from recurring, TSA officials recently said that they have added privacy experts to Secure Flight's development teams to address privacy considerations on a continuous basis as they arise. Another challenge DHS faces is ensuring that privacy considerations are addressed in the emerging information sharing environment. The Intelligence Reform and Terrorism Prevention Act of 2004 requires the establishment of an environment to facilitate the sharing of terrorism information, as well as the issuance of privacy guidelines for operation in this environment. Recently issued privacy guidelines developed by the Office of the Director of National Intelligence provide only a high-level framework for privacy protection. While DHS is only one participant, it has the responsibility to ensure that the information under its control is shared with other organizations in ways that adequately protect privacy. Accordingly, it will be important for the department to clearly establish departmental guidelines so that privacy protections are implemented properly and consistently.
GAO-07-630T, Homeland Security: Continuing Attention to Privacy Concerns is Needed as Programs Are Developed
This is the accessible text file for GAO report number GAO-07-630T
entitled 'Homeland Security: Continuing Attention to Privacy Concerns
is Needed as Programs Are Developed' which was released on March 21,
2007.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Testimony:
Before the Subcommittee on Homeland Security, Committee on
Appropriations, House of Representatives:
For Release on Delivery:
Expected at 10:00 a.m. EDT Wednesday, March 21, 2007:
Homeland Security:
Continuing Attention to Privacy Concerns is Needed as Programs Are
Developed:
Statement of Linda D. Koontz:
Director, Information Management Issues:
GAO-07-630T:
GAO Highlights:
Highlights of GAO-07-630T, a testimony before the Subcommittee on
Homeland Security, Committee on Appropriations, House of
Representatives
Why GAO Did This Study:
Advances in information technology make it easier than ever for the
Department of Homeland Security (DHS) and other agencies to obtain and
process information about citizens and residents in many ways and for
many purposes. The demands of the war on terror also drive agencies to
extract as much value as possible from the information available to
them, adding to the potential for compromising privacy. Recognizing
that securing the homeland and protecting the privacy rights of
individuals are both important goals, the Congress has asked GAO to
perform several reviews of DHS programs and their privacy implications
over the past several years.
For this hearing, GAO was asked to testify on key privacy challenges
facing DHS. To address this issue, GAO identified and summarized issues
raised in its previous reports on privacy and assessed recent
governmentwide privacy guidance.
What GAO Found:
As it develops and participates in important homeland security
activities, DHS faces challenges in ensuring that privacy concerns are
addressed early, are reassessed when key programmatic changes are made,
and are thoroughly reflected in guidance on emerging technologies and
uses of personal data. GAO‘s reviews of DHS programs have identified
cases where these challenges were not fully met. For example, increased
use by federal agencies of data mining”the analysis of large amounts of
data to uncover hidden patterns and relationships”has been accompanied
by uncertainty regarding privacy requirements and oversight of such
systems. As described in a recent GAO report, DHS did not assess
privacy risks in developing a data mining tool known as ADVISE
(Analysis, Dissemination, Visualization, Insight, and Semantic
Enhancement), as required by the E-Government Act of 2002. ADVISE is a
data mining tool under development intended to help the department
analyze large amounts of information. Because privacy had not been
assessed and mitigating controls had not been implemented, DHS faced
the risk that uses of ADVISE in systems containing personal information
could require costly and potentially duplicative retrofitting at a
later date to add the needed controls.
GAO has also reported on privacy challenges experienced by DHS in
reassessing privacy risks when key programmatic changes were made
during development of a prescreening program for airline passengers.
The Transportation Security Administration (TSA) has been working to
develop a computer-assisted passenger prescreening system, known as
Secure Flight, to be used to evaluate passengers before they board an
aircraft on domestic flights. GAO reported that TSA had not fully
disclosed uses of personal information during testing of Secure Flight,
as required by the Privacy Act of 1974. To prevent such problems from
recurring, TSA officials recently said that they have added privacy
experts to Secure Flight‘s development teams to address privacy
considerations on a continuous basis as they arise.
Another challenge DHS faces is ensuring that privacy considerations are
addressed in the emerging information sharing environment. The
Intelligence Reform and Terrorism Prevention Act of 2004 requires the
establishment of an environment to facilitate the sharing of terrorism
information, as well as the issuance of privacy guidelines for
operation in this environment. Recently issued privacy guidelines
developed by the Office of the Director of National Intelligence
provide only a high-level framework for privacy protection. While DHS
is only one participant, it has the responsibility to ensure that the
information under its control is shared with other organizations in
ways that adequately protect privacy. Accordingly, it will be important
for the department to clearly establish departmental guidelines so that
privacy protections are implemented properly and consistently.
What GAO Recommends:
Because GAO has already made privacy-related recommendations in its
earlier reports, it is making no further recommendations at this time.
Officials have taken action or have said they are in the process of
taking action to address the recommendations. Implementation is
critical to ensuring that privacy protections are in place throughout
key DHS programs and activities.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-630T.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Linda Koontz at (202) 512-
6240 or koontzL@gao.gov.
[End of section]
Mr. Chairman and Members of the Subcommittee:
I appreciate the opportunity to be here today to discuss issues in
enhancing personal privacy while meeting homeland security needs. As
the federal government obtains and processes personal
information[Footnote 1] about citizens and residents in increasingly
diverse ways to better secure our homeland, it is important that this
information be properly protected and the privacy rights of individuals
respected. Advances in information technology make it easier than ever
for the Department of Homeland Security (DHS) and other agencies to
acquire data on individuals, analyze it for a variety of purposes, and
share it with other governmental and nongovernmental entities. Further,
the demands of the war on terror drive agencies to extract as much
value as possible from the information available to them, adding to the
potential for compromising privacy. Given that securing the homeland
and protecting the privacy rights of individuals are both important
goals, it is incumbent on the government to find ways to do both well
without compromising either.
As requested, my statement will focus on key privacy challenges facing
DHS as it develops systems and methods for fighting the war on terror.
After a brief description of the laws and guidance that apply to
federal agency use of personal information, I will summarize our work
on key programs and activities in which privacy considerations have
been prominent, including data mining, passenger prescreening, use of
commercial data, and radio frequency identification technology. I will
also comment on the department's role in participating in the
governmentwide information sharing environment, which is being
established by the administration to facilitate the sharing of
terrorism information among governmental entities.[Footnote 2]
To address key privacy challenges facing DHS, we identified and
summarized issues raised in our previous reports on privacy, including
our work on data mining,[Footnote 3] passenger prescreening,[Footnote
4] commercial data,[Footnote 5] and radio frequency identification
applications.[Footnote 6] We also assessed recent governmentwide
privacy guidance for the information sharing environment and identified
privacy challenges DHS is likely to face as a participant. We conducted
our work in accordance with generally accepted government auditing
standards. To provide additional information on our previous privacy-
related work, I have included, as attachment 1, a list of pertinent GAO
publications.
Results in Brief:
As it develops and participates in important homeland security
activities, DHS faces challenges in ensuring that privacy concerns are
addressed early, are reassessed when key programmatic changes are made,
and are thoroughly reflected in guidance on emerging technologies and
uses of personal data. Our reviews of DHS programs have identified
cases where these challenges were not fully met. For example:
* Ensuring that data mining efforts do not compromise privacy
protections. Increased use by federal agencies of data mining--the
analysis of large amounts of data to uncover hidden patterns and
relationships--has been accompanied by uncertainty regarding privacy
requirements and oversight of such systems. For example, as described
in our recent report,[Footnote 7] DHS did not assess privacy risks in
developing a data mining tool known as ADVISE (Analysis, Dissemination,
Visualization, Insight, and Semantic Enhancement), as required by the E-
Government Act of 2002. Because privacy had not been assessed and
mitigating controls had not been implemented, DHS faced the risk that
ADVISE-based systems containing personal information could require
costly and potentially duplicative retrofitting at a later date to add
the needed controls. Accordingly, we recommended that DHS immediately
conduct a privacy impact assessment of the ADVISE tool to identify
privacy risks and implement privacy controls to mitigate those risks.
In its comments DHS stated that it is currently developing a "Privacy
Technology Implementation Guide" to be used to conduct a PIA.
* Ensuring privacy protection in developing and implementing
prescreening programs for airline passengers. In accordance with a
requirement set forth in the Aviation and Transportation Security Act,
the Transportation Security Administration (TSA) has been working to
develop a computer-assisted passenger prescreening system, known as
Secure Flight, to be used to evaluate passengers before they board an
aircraft domestically. In previous work, we reported that TSA had not
fully disclosed uses of personal information during testing of Secure
Flight, as required by the Privacy Act of 1974. To prevent such
problems from recurring, TSA officials recently said that they have
added privacy experts to Secure Flight's development teams to address
privacy considerations on a continuous basis as they arise.
* Controlling the collection and use of personal information obtained
from commercial sources, known as "information resellers." A major task
confronting federal agencies, especially those engaged in antiterrorism
tasks, is to ensure that information obtained from resellers is being
appropriately used and protected. In previous work, we reported that
agencies were uncertain about the applicability of privacy requirements
to this information, which led to inconsistencies in how it was
treated. For example, public notices required by the Privacy Act did
not always disclose the use of information from resellers. We
recommended that DHS develop a policy concerning the use of such
information, which according to the DHS Privacy Office is currently in
draft.
* Ensuring that applications using radio frequency identification
technology (RFID) protect privacy consistently. RFID technology uses
wireless communication to transmit data and thus electronically
identify, track, and store information on tags attached to or embedded
in objects. Our recent work on US-VISIT[Footnote 8]--a DHS program to
collect data on selected foreign nationals entering and exiting the
United States--identified problems with the use of RFID for human
identification.[Footnote 9] Although the Secretary of Homeland Security
has announced that RFID use by US-VISIT is to be discontinued, another
DHS border control program, the Western Hemisphere Travel Initiative,
still plans to use the technology. Without departmental guidance on the
use of RFID, DHS programs may use the technology inconsistently,
potentially creating unnecessary privacy risks. According to the DHS
Privacy Office, it is considering developing guidance to address the
use of specific technologies, including RFID.
* Ensuring that privacy considerations are addressed consistently and
effectively in the information sharing environment. As directed by the
Intelligence Reform and Terrorism Prevention Act of 2004, the
administration has taken steps, beginning in 2005, to establish an
information sharing environment to facilitate the sharing of terrorism
information. However, privacy guidelines recently issued for the
information sharing environment provide only a high-level framework for
ensuring privacy protection and do not address how the collection of
information is to be limited. Because DHS participates in the
information sharing environment, potentially sharing information with
many other intelligence and law enforcement entities both within and
outside the federal government, it will be important for the department
to ensure that departmental guidelines are clearly established so that
privacy protections are implemented properly and consistently.
We have made recommendations to DHS in several of these areas to ensure
that privacy issues are adequately addressed, and officials have taken
action or told us they are in the process of taking action to address
them. Implementation of these recommendations is critical to ensuring
that privacy protections are in place throughout key DHS programs and
activities.
Background: Federal Laws and Guidance Govern Use of Personal
Information in Federal Agencies:
The major requirements for the protection of personal privacy by
federal agencies are specified in two laws, the Privacy Act of 1974 and
the E-Government Act of 2002. The Federal Information Security
Management Act of 2002 (FISMA) also addresses the protection of
personal information in the context of securing federal agency
information and information systems.
The Privacy Act places limitations on agencies' collection, disclosure,
and use of personal information maintained in systems of records. The
act describes a "record" as any item, collection, or grouping of
information about an individual that is maintained by an agency and
contains his or her name or another personal identifier. It also
defines "system of records" as a group of records under the control of
any agency from which information is retrieved by the name of the
individual or by an individual identifier. The Privacy Act requires
that when agencies establish or make changes to a system of records,
they must notify the public by a "system-of-records notice" that is, a
notice in the Federal Register identifying, among other things, the
type of data collected, the types of individuals about whom information
is collected, the intended "routine" uses of data, and procedures that
individuals can use to review and correct personal
information.[Footnote 10] Among other provisions, the act also requires
agencies to define and limit themselves to specific predefined
purposes. For example, the act requires that to the greatest extent
practicable, personal information should be collected directly from the
subject individual when it may affect an individual's rights or
benefits under a federal program.
The provisions of the Privacy Act are largely based on a set of
principles for protecting the privacy and security of personal
information, known as the Fair Information Practices, which were first
proposed in 1973 by a U.S. government advisory committee;[Footnote 11]
these principles were intended to address what the committee termed a
poor level of protection afforded to privacy under contemporary law.
Since that time, the Fair Information Practices have been widely
adopted as a standard benchmark for evaluating the adequacy of privacy
protections. Attachment 2 contains a summary of the widely used version
of the Fair Information Practices adopted by the Organization for
Economic Cooperation and Development in 1980.
The E-Government Act of 2002 strives to enhance protection for personal
information in government information systems and information
collections by requiring that agencies conduct privacy impact
assessments (PIA). A PIA is an analysis of how personal information is
collected, stored, shared, and managed in a federal system. More
specifically, according to Office of Management and Budget (OMB)
guidance,[Footnote 12] a PIA is to (1) ensure that handling conforms to
applicable legal, regulatory, and policy requirements regarding
privacy; (2) determine the risks and effects of collecting,
maintaining, and disseminating information in identifiable form in an
electronic information system; and (3) examine and evaluate protections
and alternative processes for handling information to mitigate
potential privacy risks.
Agencies must conduct PIAs (1) before developing or procuring
information technology that collects, maintains, or disseminates
information that is in a personally identifiable form, or (2) before
initiating any new data collections involving personal information that
will be collected, maintained, or disseminated using information
technology if the same questions are asked of 10 or more people. To the
extent that PIAs are made publicly available,[Footnote 13] they provide
explanations to the public about such things as the information that
will be collected, why it is being collected, how it is to be used, and
how the system and data will be maintained and protected.
FISMA also addresses the protection of personal information. It defines
federal requirements for securing information and information systems
that support federal agency operations and assets; it requires agencies
to develop agencywide information security programs that extend to
contractors and other providers of federal data and systems.[Footnote
14] Under FISMA, information security means protecting information and
information systems from unauthorized access, use, disclosure,
disruption, modification, or destruction, including controls necessary
to preserve authorized restrictions on access and disclosure to protect
personal privacy.
To oversee its implementation of privacy protections, DHS has
established a Chief Privacy Officer, as directed by the Homeland
Security Act of 2002.[Footnote 15] According to the act, the Chief
Privacy Officer is responsible for, among other things, "assuring that
the use of technologies sustain[s], and do[es] not erode privacy
protections relating to the use, collection, and disclosure of personal
information," and "assuring that personal information contained in
Privacy Act systems of records is handled in full compliance with fair
information practices as set out in the Privacy Act of 1974."
Privacy Considerations Need Continuing Attention As Programs and
Systems Are Developed:
As it develops and participates in important homeland security
activities, DHS faces challenges in ensuring that privacy concerns are
addressed early, are reassessed when key programmatic changes are made,
and are thoroughly reflected in guidance on emerging technologies and
uses of personal data. Our reviews of DHS programs have identified
cases where these challenges were not fully met, including data mining,
airline passenger prescreening, use of data from commercial sources,
use of personal identification technologies (especially RFID), and
development of an information sharing environment. I will now discuss
each of these subjects in greater detail.
Ensuring that Data Mining Efforts Do Not Compromise Privacy
Protections:
Many concerns have been raised about the potential for data mining
programs to compromise personal privacy. In our May 2004 report on
federal data mining efforts, we defined data mining as the application
of database technology and techniques--such as statistical analysis and
modeling--to uncover hidden patterns and subtle relationships in data
and to infer rules that allow for the prediction of future
results.[Footnote 16] As we noted in our report, mining government and
private databases containing personal information raises a range of
privacy concerns.
In the government, data mining was initially used to detect financial
fraud and abuse. However, its use has greatly expanded. Among other
purposes, data mining has been used increasingly as a tool to help
detect terrorist threats through the collection and analysis of public
and private sector data. Through data mining, agencies can quickly and
efficiently obtain information on individuals or groups from large
databases containing personal information aggregated from public and
private records. Information can be developed about a specific
individual or a group of individuals whose behavior or characteristics
fit a specific pattern. For example, terrorists can be tracked through
travel and immigration records, and potential terrorist-related
activities, including money transfers and communications, can be
pinpointed. The ease with which organizations can use automated systems
to gather and analyze large amounts of previously isolated information
raises concerns about the impact on personal privacy. As a July 2006
report by the DHS Privacy Office points out, "privacy and civil
liberties issues potentially arise in every phase of the data mining
process."[Footnote 17] Potential privacy risks include improper access
or disclosure of personal information, erroneous associations of
individuals with undesirable activities, misidentification of
individuals with similar names, and misuse of data that were collected
for other purposes.
Our recent report notes that early attention to privacy in developing a
data mining tool known as ADVISE (Analysis, Dissemination,
Visualization, Insight, and Semantic Enhancement) could reduce risks
that personal information could be misused.[Footnote 18] ADVISE is a
data mining tool under development intended to help DHS analyze large
amounts of information. It is designed to allow an analyst to search
for patterns in data--such as relationships among people,
organizations, and events--and to produce visual representations of
these patterns, referred to as semantic graphs. The intended benefit of
the ADVISE tool is to help detect threatening activities by
facilitating the analysis of large amounts of data. Although the tool
is being considered for several different applications within DHS, none
of them are yet operational. DHS is currently in the process of testing
the tool's effectiveness.
DHS did not conduct a PIA as it developed the ADVISE tool, as required
by the E-Government Act of 2002. A PIA, if it had been completed, would
identify specific privacy risks and help officials determine what
controls were needed to mitigate those risks. DHS officials believed
that ADVISE did not need to undergo such an assessment because the tool
itself did not contain personal data. However, the intended uses of the
tool included personal data, and the E-Government Act and related
guidance emphasize the need to assess privacy risks early in system
development. Further, if an assessment were conducted and privacy risks
identified, a number of controls could be built into the tool to
mitigate those risks. Because privacy had not been assessed and
mitigating controls had not been implemented, the department faced the
risk that systems based on ADVISE that also contained personal
information could require costly and potentially duplicative
retrofitting to add the needed controls. We made recommendations to DHS
to conduct a PIA of the ADVISE tool and implement privacy controls, as
needed, to mitigate any identified risks. In its comments, DHS stated
that it is currently developing a "Privacy Technology Implementation
Guide" to be used to conduct a PIA.
Broadly considered, data mining is a tool that has the potential to
provide valuable assistance to analysts and investigators as they
pursue the war on terror. However, it has been challenging for DHS to
thoroughly consider and address privacy concerns early enough in its
attempts to develop data mining tools and applications. As the
department moves forward with ADVISE and other data mining activities,
close attention to privacy will remain a critical concern.
Ensuring Privacy Protection in Developing and Implementing Prescreening
Programs for Airline Passengers:
An example of the importance of ongoing attention to privacy can be
taken from TSA's development of passenger prescreening programs. TSA is
responsible for securing all modes of transportation while facilitating
commerce and the freedom of movement for the traveling public.
Passenger prescreening is one program among many that TSA uses to
secure the domestic aviation sector. The process of prescreening
passengers--that is, determining whether airline passengers might pose
a security risk before they reach the passenger-screening checkpoint--
is used to focus security efforts on those passengers that represent
the greatest potential threat.
In accordance with a requirement set forth in the Aviation and
Transportation Security Act, TSA has been working since 2003 to develop
a computer-assisted passenger prescreening system to be used to
evaluate passengers before they board an aircraft on domestic flights.
An early version of that system, known as the Computer-Assisted
Passenger Prescreening System II, was canceled in 2004 based in part on
concerns about privacy and other issues expressed by us and
others.[Footnote 19] In its place, TSA announced a new passenger
prescreening program, called Secure Flight, that would be narrower in
scope and designed to avoid problems that had been raised about the
previous program. Aspects of the new Secure Flight system underwent
development and testing in 2005.
In July 2005, we reported on privacy problems associated with testing
of Secure Flight.[Footnote 20] In 2004, TSA had issued privacy notices
in the Federal Register that included descriptions of how personal
information drawn from commercial sources would be used during planned
upcoming tests. However, these notices did not fully inform the public
about the procedures that TSA and its contractors would follow for
collecting, using, and storing commercial data. In addition, the scope
of the data used during commercial data testing was not fully
disclosed. Specifically, a contractor, acting on behalf of the agency,
collected more than 100 million commercial data records containing
personal information such as name, date of birth, and telephone number
without informing the public. As a result, the public did not receive
the full protections of the Privacy Act. In its comments on our
findings, DHS stated that it recognized the merits of the issues we
raised, and that TSA had acted immediately to address them.
The privacy problems faced in developing Secure Flight arose not
because it was prohibitively difficult to protect privacy while
prescreening airline passengers, but because TSA had not reassessed
privacy risks when key programmatic changes were made and taken
appropriate steps to mitigate them. Recently, TSA officials stated that
as they work to restructure the Secure Flight program, they plan a more
privacy-enhanced program by addressing concerns identified by us and
others. For example, officials stated that the program no longer plans
to use commercial data. Officials also stated that they have added
privacy experts to the system development teams to address privacy
issues as they arise. It is encouraging that TSA is now including
privacy experts within its development teams, with the express goal of
continuously monitoring privacy concerns. We will continue to assess
TSA's efforts to manage system privacy protections as part of our
ongoing review of the program.
Controlling the Collection and Use of Personal Information Obtained
from Information Resellers:
A major task confronting federal agencies, especially those engaged in
antiterrorism tasks, is to ensure that information obtained from
resellers is being appropriately used and protected. In fiscal year
2005, DHS reported planning to spend about $9 million on acquiring
personal information from information resellers.[Footnote 21] The
information was acquired chiefly for law enforcement purposes, such as
developing leads on subjects in criminal investigations, and for
detecting fraud in immigration benefit applications (part of enforcing
the immigration laws). For example, the agency's largest investigative
component, U.S. Immigration and Customs Enforcement--the largest user
of personal information from resellers--collects data such as address
and vehicle information for criminal investigations and background
security checks. DHS also reported using information resellers in its
counterterrorism efforts. For example, as already discussed, TSA used
data obtained from information resellers as part of a test associated
with the development of Secure Flight.
In our report on the acquisition of personal information from resellers
by agencies such as DHS, we noted that the agencies' practices for
handling this information did not always reflect the Fair Information
Practices.[Footnote 22] For example, system-of-records notices issued
by these agencies did not always state that agency systems could
incorporate information from data resellers, a practice inconsistent
with the principle that the purpose for a collection of personal data
should be disclosed beforehand and its use limited to that purpose.
Furthermore, accountability was not ensured, as the agencies did not
generally monitor usage of personal information from resellers;
instead, they relied on end users to be responsible for their own
behavior. Contributing to the uneven application of the Fair
Information Practices was a lack of agency policies, including at DHS,
that specifically address these uses.
Reliance on information from resellers is an emerging use of personal
data for which the government has been challenged to develop
appropriate guidance. We recommended that DHS and other agencies
develop specific policies, reflecting the Fair Information Practices,
for the collection, maintenance, and use of personal information
obtained from resellers. According to the DHS Privacy Office, while a
policy governing the department's use of commercial data is being
drafted, the document has not yet been issued. Until the department
issues clear guidance on this use, it faces the risk that appropriate
privacy protections may not be in place consistently across its
programs and applications.
Ensuring that Applications Using RFID Technology Protect Privacy
Consistently:
RFID is an automated data-capture technology that can be used to
electronically identify, track, and store information contained on a
tag. The tag can be attached to or embedded in the object to be
identified, such as a product, case, or pallet. RFID technology
provides identification and tracking capabilities by using wireless
communication to transmit data. In May 2005, we reported that major
initiatives at federal agencies that use or propose to use the
technology included physical access controls and tracking assets,
documents, or materials.[Footnote 23] For example, DHS was using RFID
to track and identify assets, weapons, and baggage on flights. The
Department of Defense was also using it to track shipments.
In our May 2005 report we identified several privacy issues related to
both commercial and federal use of RFID technology. Among these privacy
issues is the potential for the technology to be used inappropriately
for tracking an individual's movements, habits, tastes, or
predilections. Tracking is real-time or near-real-time surveillance in
which a person's movements are followed through RFID scanning.) Public
surveys have identified a distinct unease with the potential ability of
the federal government to monitor individuals' movements and
transactions.[Footnote 24] Like tracking, profiling--the reconstruction
of a person's movements or transactions over a specific period of time,
usually to ascertain something about the individual's habits, tastes,
or predilections--could also be undertaken through the use of RFID
technology. Once a particular individual is identified through an RFID
tag, personally identifiable information can be retrieved from any
number of sources and then aggregated to develop a profile of the
individual. Both tracking and profiling can compromise an individual's
privacy.
Concerns also have been raised that organizations could develop
secondary uses for the information gleaned through RFID technology;
this has been referred to as mission or function "creep." The history
of the Social Security number, for example, gives ample evidence of how
an identifier developed for one specific use has become a mainstay of
identification for many other purposes, governmental and
nongovernmental.[Footnote 25] Secondary uses of the Social Security
number have been a matter not of technical controls but rather of
changing policy and administrative priorities.[Footnote 26]
DHS uses and has made plans to use RFID technology to track individuals
in several border security programs. This has been met with concern
from the DHS Data Privacy and Integrity Advisory Committee, which
reiterated our concerns that employing the technology for human
identification poses privacy risks, including notice problems and
potential for secondary use. One program that planned to make use of
RFID was the US-VISIT program, a multibillion dollar program that
collects, maintains, and shares information on selected foreign
nationals who enter and exit the United States at over 300 ports of
entry around the country. The incorporation of RFID into the program
arose from the agency's requirement for a less costly alternative to
biometric verification of visitors exiting the country.
We recently testified that US-VISIT RFID tests revealed numerous
performance and reliability problems.[Footnote 27] For example, the
readers placed to detect identifying tags failed to do so for a
majority of the RFID tags.[Footnote 28] Faced with these test results,
the Secretary of Homeland Security recently stated that the agency
would cancel the use of RFID for US-VISIT.
However, despite having rejected RFID for US-VISIT, the department has
endorsed the technology for another border control initiative, the
proposed PASSport (People Access Security Service) system
identification card, which is part of the Western Hemisphere Travel
Initiative. The RFID-enabled PASSport card would serve as an
alternative to a traditional passport for use by U.S. citizens who
cross the land borders and travel by sea between the United States,
Canada, Mexico, the Caribbean, or Bermuda.[Footnote 29]
The department's varying approaches to the use of RFID for human
identification suggests the need for a departmentwide policy that fully
addresses privacy concerns. Unless DHS issues comprehensive guidance to
direct the development and implementation of new technologies such as
RFID, it faces the risk that appropriate privacy protections may not be
implemented consistently across its programs and applications.
According to the DHS Privacy Office, it is considering developing
guidance to address the use of specific technologies, including RFID.
Ensuring that Privacy Considerations are Addressed Consistently and
Effectively in the Information Sharing Environment:
The challenges that DHS faces in protecting privacy extend beyond the
need to consider and address privacy issues while developing its own
programs and systems. The department also interacts with many other
intelligence and law enforcement entities, both within and outside the
federal government, and potentially shares information with them all.
As with its own programs and systems, it will be important for DHS to
ensure that privacy has been thoroughly considered and guidelines
clearly established as it participates in the emerging information
sharing environment.
As directed by the Intelligence Reform and Terrorism Prevention Act of
2004,[Footnote 30] the administration has taken steps, beginning in
2005, to establish an information sharing environment to facilitate the
sharing of terrorism information. The direction to establish an
information sharing environment was driven by the recognition that
before the attacks of September 11, 2001, federal agencies had been
unable to effectively share information about suspected terrorists and
their activities. In addressing this problem, the National Commission
on Terrorist Attacks Upon the United States (9/11 Commission)
recommended that the sharing and uses of information be guided by a set
of practical policy guidelines that would simultaneously empower and
constrain officials, closely circumscribing what types of information
they would be permitted to share as well as the types they would need
to protect. Exchanging terrorism-related information continues to be a
significant challenge for federal, state, and local governments--one
that we recognize is not easily addressed. Accordingly, since January
2005, we have designated information sharing for homeland security a
high-risk area.[Footnote 31]
In developing guidelines for the information sharing environment, there
has been general agreement that privacy considerations must be
addressed. The Intelligence Reform Act called for the issuance of
guidelines to protect privacy and civil liberties in the development
and use of the information sharing environment, and the President
reiterated that requirement in an October 2005 directive to federal
departments and agencies. Based on the President's directive, a
committee within the Office of the Director of National Intelligence
was established to develop such guidelines, and they were approved by
the President in November 2006.[Footnote 32] According to its annual
report for 2004-2006, the DHS Privacy Office has played a role in
developing these guidelines.[Footnote 33]
However, the guidelines as issued provide only a high-level framework
for addressing privacy protection and do not include all of the Fair
Information Practices. The 9-page document includes statements of
principles, such as "purpose specification," "data quality," "data
security," and "accountability, enforcement, and audit" that align with
certain elements of the Fair Information Practices, but it provides
little or no guidance on how these principles are to be implemented and
does not address another key practice--limiting the collection of
personal information. For example, as the policy director of the Center
for Democracy and Technology has pointed out, a number of principles
mentioned in the guidelines do not include any specificity on how they
should be carried out.[Footnote 34] The guidelines call for agencies to
"take appropriate steps" when merging information about an individual
from two or more sources to ensure that the information is about the
same individual, but they give no indication of what steps would be
adequate to achieve this goal. For example, no guidance is provided on
gauging the reliability of sources or determining the minimum amount of
information needed to determine that different sources are referring to
the same individual. Likewise, the guidelines direct agencies to
implement adequate review and audit mechanisms to ensure compliance
with the guidelines but, again, do not specify the nature of these
mechanisms, which could include, for example, the use of electronic
audit logs that cannot be changed by individuals. Finally, the
guidelines also direct agencies to put in place internal procedures to
address complaints from persons regarding protected information about
them that is under the agency's control. No further guidance is
provided about the essential elements of a complaint process or what
sort of remedies to provide.
According to the DHS Privacy Office, individual agencies, including
DHS, are to develop specific guidelines that implement the high-level
framework embodied in the governmentwide guidelines. However, no
overall DHS guidance on the protection of privacy within the context of
the information sharing environment has yet been developed. According
to the Privacy Office, an effort is currently being initiated to
develop such guidance.
While DHS is only one participant in the governmentwide information
sharing environment, it has the responsibility to ensure that the
information under its control is shared with other organizations in
ways that adequately protect privacy. Until it adopts specific
implementation guidelines, the department will face the risk that its
information sharing activities may not protect privacy adequately.
In summary, DHS faces continuing challenges in ensuring that privacy
concerns are addressed early, are reassessed when key programmatic
changes are made, and are thoroughly reflected in guidance on emerging
technologies and uses of personal data. We have made recommendations
previously regarding ADVISE, Secure Flight, and use of information
resellers, and officials have taken action or told us they are taking
action to address our recommendations. Implementation of these
recommendations is critical to ensuring that privacy protections are in
place throughout key DHS programs and activities. Likewise, issuing
guidance for participation in the information sharing environment will
also be critical to ensure implementation of consistent, appropriate
protections across the department.
Mr. Chairman, this concludes my testimony today. I would be happy to
answer any questions you or other members of the subcommittee may have.
Contacts and Acknowledgements:
If you have any questions concerning this testimony, please contact
Linda Koontz, Director, Information Management, at (202) 512-6240, or
koontzl@gao.gov. Other individuals who made key contributions include
Barbara Collier, Susan Czachor, John de Ferrari, Timothy Eagle, David
Plocher, and Jamie Pressman.
Attachment I: Selected GAO Products Related to Privacy Issues:
Data Mining: Early Attention to Privacy in Developing a Key DHS Program
Could Reduce Risks. GAO-07-293. Washington, D.C.: February 28, 2007.
Aviation Security: Progress Made in Systematic Planning to Guide Key
Investment Decisions, but More Work Remains. GAO-07-448T. Washington,
D.C.: February 13, 2007.
Border Security: US-VISIT Program Faces Strategic, Operational, and
Technological Challenges at Land Ports of Entry. GAO-07-248.
Washington, D.C.: December 6, 2006.
Personal Information: Key Federal Privacy Laws Do Not Require
Information Resellers to Safeguard All Sensitive Data. GAO-06-674.
Washington, D.C.: June 26, 2006.
Veterans Affairs: Leadership Needed to Address Information Security
Weaknesses and Privacy Issues. GAO-06-866T. Washington, D.C.: June 14,
2006.
Privacy: Preventing and Responding to Improper Disclosures of Personal
Information. GAO-06-833T. Washington, D.C.: June 8, 2006.
Privacy: Key Challenges Facing Federal Agencies. GAO-06-777T.
Washington, D.C.: May 17, 2006.
Personal Information: Agencies and Resellers Vary in Providing Privacy
Protections. GAO-06-609T. Washington, D.C.: April 4, 2006.
Personal Information: Agency and Reseller Adherence to Key Privacy
Principles. GAO-06-421. Washington, D.C.: April 4, 2006.
Information Sharing: The Federal Government Needs to Establish Policies
and Processes for Sharing Terrorism-Related and Sensitive but
Unclassified Information. GAO-06-385. Washington, D.C.: March 17, 2006.
Data Mining: Agencies Have Taken Key Steps to Protect Privacy in
Selected Efforts, but Significant Compliance Issues Remain. GAO-05-866.
Washington, D.C.: August 15, 2005.
Aviation Security: Transportation Security Administration Did Not Fully
Disclose Uses of Personal Information during Secure Flight Program
Testing in Initial Privacy Notices, but Has Recently Taken Steps to
More Fully Inform the Public. GAO-05-864R. Washington, D.C.: July 22,
2005.
Identity Theft: Some Outreach Efforts to Promote Awareness of New
Consumer Rights are Under Way. GAO-05-710. Washington, D.C.: June 30,
2005.
Information Security: Radio Frequency Identification Technology in the
Federal Government. GAO-05-551. Washington, D.C.: May 27, 2005.
Aviation Security: Secure Flight Development and Testing Under Way, but
Risks Should Be Managed as System is Further Developed. GAO-05-356.
Washington, D.C.: March 28, 2005.
Social Security Numbers: Governments Could Do More to Reduce Display in
Public Records and on Identity Cards. GAO-05-59. Washington, D.C.:
November 9, 2004.
Data Mining: Federal Efforts Cover a Wide Range of Uses, GAO-04-548.
Washington, D.C.: May 4, 2004.
Aviation Security: Computer-Assisted Passenger Prescreening System
Faces Significant Implementation Challenges. GAO-04-385. Washington,
D.C.: February 12, 2004.
Privacy Act: OMB Leadership Needed to Improve Agency Compliance. GAO-
03-304. Washington, D.C.: June 30, 2003.
Data Mining: Results and Challenges for Government Programs, Audits,
and Investigations. GAO-03-591T. Washington, D.C.: March 25, 2003.
Technology Assessment: Using Biometrics for Border Security. GAO-03-
174. Washington, D.C.: November 15, 2002.
Information Management: Selected Agencies' Handling of Personal
Information. GAO-02-1058. Washington, D.C.: September 30, 2002.
Identity Theft: Greater Awareness and Use of Existing Data Are Needed.
GAO-02-766. Washington, D.C.: June 28, 2002.
Social Security Numbers: Government Benefits from SSN Use but Could
Provide Better Safeguards. GAO-02-352. Washington, D.C.: May 31, 2002.
Attachment 2: The Fair Information Practices:
The Fair Information Practices are not precise legal requirements.
Rather, they provide a framework of principles for balancing the need
for privacy with other public policy interests, such as national
security, law enforcement, and administrative efficiency. Ways to
strike that balance vary among countries and according to the type of
information under consideration. The version of the Fair Information
Practices shown in table 1 was issued by the Organization for Economic
Cooperation and Development (OECD) in 1980[Footnote 35] and has been
widely adopted.
Table 1: The Fair Information Practices:
Principle: Collection limitation;
Description: The collection of personal information should be limited,
should be obtained by lawful and fair means, and, where appropriate,
with the knowledge or consent of the individual.
Principle: Data quality;
Description: Personal information should be relevant to the purpose for
which it is collected, and should be accurate, complete, and current as
needed for that purpose.
Principle: Purpose specification;
Description: The purposes for the collection of personal information
should be disclosed before collection and upon any change to that
purpose, and its use should be limited to those purposes and compatible
purposes.
Principle: Use limitation;
Description: Personal information should not be disclosed or otherwise
used for other than a specified purpose without consent of the
individual or legal authority.
Principle: Security safeguards;
Description: Personal information should be protected with reasonable
security safeguards against risks such as loss or unauthorized access,
destruction, use, modification, or disclosure.
Principle: Openness;
Description: The public should be informed about privacy policies and
practices, and individuals should have ready means of learning about
the use of personal information.
Principle: Individual participation;
Description: Individuals should have the following rights: to know
about the collection of personal information, to access that
information, to request correction, and to challenge the denial of
those rights.
Principle: Accountability;
Description: Individuals controlling the collection or use of personal
information should be accountable for taking steps to ensure the
implementation of these principles.
Source: Organization for Economic Cooperation and Development.
[End of table]
FOOTNOTES
[1] For purposes of this testimony, the term personal information
encompasses all information associated with an individual, including
personally identifiable information, which refers to any information
about an individual maintained by an agency that can be used to
distinguish or trace an individual's identity, such as name, Social
Security number, date and place of birth, mother's maiden name,
biometric records, etc., including any other personal information which
is linked or linkable to an individual.
[2] For more information, see GAO, Information Sharing: The Federal
Government Needs to Establish Policies and Processes for Sharing
Terrorism-Related and Sensitive but Unclassified Information, GAO-06-
385 (Washington, D.C.: Mar. 17, 2006).
[3] GAO, Data Mining: Early Attention to Privacy in Developing a Key
DHS Program Could Reduce Risks, GAO-07-293 (Washington, D.C.: Feb. 28,
2007) and Data Mining: Agencies Have Taken Key Steps to Protect Privacy
in Selected Efforts, but Significant Compliance Issues Remain, GAO-05-
866 (Washington, D.C.: Aug. 15, 2005).
[4] GAO, Aviation Security: Progress Made in Systematic Planning to
Guide Key Investment Decisions, but More Work Remains, GAO-07-448T
(Washington, D.C.: Feb. 13, 2007) and Aviation Security: Transportation
Security Administration Did Not Fully Disclose Uses of Personal
Information during Secure Flight Program Testing in Initial Privacy
Notices, but Has Recently Taken Steps to More Fully Inform the Public,
GAO-05-864R (Washington, D.C.: July 22, 2005).
[5] GAO, Personal Information: Agency and Reseller Adherence to Key
Privacy Principles, GAO-06-421 (Washington: D.C.: Apr. 4, 2006).
[6] GAO, Information Security: Radio Frequency Identification
Technology in the Federal Government, GAO-05-551 (Washington, D.C.: May
27, 2005) and Border Security: US-VISIT Program Faces Strategic,
Operational, and Technological Challenges at Land Ports of Entry, GAO-
07-248 (Washington, D.C.: Dec. 6, 2006).
[7] GAO-07-293.
[8] US-VISIT is an abbreviation for United States Visitor and Immigrant
Status Indicator Technology.
[9] GAO-07-248.
[10] Under the Privacy Act of 1974, the term "routine use" means (with
respect to the disclosure of a record) the use of such a record for a
purpose that is compatible with the purpose for which it was collected.
5 U.S.C. § 552a(a)(7).
[11] Congress used the committee's final report as a basis for crafting
the Privacy Act of 1974. See U.S. Department of Health, Education, and
Welfare, Records, Computers and the Rights of Citizens: Report of the
Secretary's Advisory Committee on Automated Personal Data Systems
(Washington, D.C.: July 1973).
[12] Office of Management and Budget, OMB Guidance for Implementing the
Privacy Provisions of the E-Government Act of 2002, M-03-22 (Sept. 26,
2003). OMB is tasked with providing guidance to agencies on how to
implement the provisions of the E-Government Act, the Privacy Act, and
FISMA.
[13] The E-Government Act requires agencies, if practicable, to make
privacy impact assessments publicly available through agency Web sites,
by publication in the Federal Register, or by other means. Pub. L. 107-
347, § 208(b)(1)(B)(iii).
[14] FISMA, Title III, E-Government Act of 2002, Pub. L. 107-347 (Dec.
17, 2002).
[15] Pub. L. No. 107-296, § 222 (Nov. 25, 2002).
[16] GAO, Data Mining: Federal Efforts Cover a Wide Range of Uses, GAO-
04-548 (Washington, D.C.: May 4, 2004).
[17] DHS, Data Mining Report: DHS Privacy Office Response to House
Report 108-774 (July 6, 2006), p. 12.
[18] GAO, Data Mining: Early Attention to Privacy in Developing a Key
DHS Program Could Reduce Risks, GAO-07-293 (Wash., D.C.: Feb. 28,
2007).
[19] See GAO, Aviation Security: Computer-Assisted Passenger
Prescreening System Faces Significant Implementation Challenges, GAO-
04-385 (Washington, D.C.: Feb. 12, 2004).
[20] GAO, Aviation Security: Transportation Security Administration Did
Not Fully Disclose Uses of Personal Information during Secure Flight
Program Testing in Initial Privacy Notices, but Has Recently Taken
Steps to More Fully Inform the Public, GAO-05-864R (Washington, D.C.:
July 22, 2005).
[21] Information resellers are companies that collect information,
including personal information about consumers, from a wide variety of
sources for the purpose of reselling such information to their
customers, which include both private-sector businesses and government
agencies.
[22] GAO-06-421.
[23] GAO, Information Security: Radio Frequency Identification
Technology in the Federal Government, GAO-05-551 (Washington, D.C.: May
27, 2005).
[24] GAO, Technology Assessment: Using Biometrics for Border Security,
GAO-03-174 (Washington, D.C.: Nov. 15, 2002).
[25] GAO, Social Security Numbers: Government Benefits from SSN Use but
Could Provide Better Safeguards, GAO-02-352 (Washington, D.C.: May 31,
2002).
[26] For information on the practices and tools to mitigate these
privacy issues, see GAO-05-551, pp. 22-24.
[27] GAO, Homeland Security: US-VISIT Has Not Fully Met Expectations
and Longstanding Program Management Challenges Need to be Addressed,
GAO-07-499T (Washington, D.C.: Feb. 16, 2007).
[28] A US-VISIT program official explained that for vehicles exiting
during RFID testing, one could "reasonably expect" a read rate of 70
percent. However, as the program office reported, tests conducted at
the Blaine-Pacific Highway border station showed readers correctly
identifying 14 percent of the travelers' tags.
[29] 71 Federal Register 60928-60932 (Oct. 17, 2006).
[30] Pub. L. No. 108-458 (Dec. 17, 2004).
[31] For more information, see GAO, High-Risk Series: An Update, GAO-
07-310 (Washington, D.C.: Jan. 2007), p. 47, and Information Sharing:
The Federal Government Needs to Establish Policies and Processes for
Sharing Terrorism-Related and Sensitive but Unclassified Information,
GAO-06-385 (Washington D.C.: Mar. 17, 2006).
[32] Information Sharing Environment Program Management Office,
Guidelines to Ensure that the Information Privacy and Other Legal
Rights of Americans are Protected in the Development and Use of the
Information Sharing Environment (Nov. 22, 2006).
[33] DHS, Privacy Office Annual Report to Congress July 2004-July 2006
(Washington, D.C.: July 2006).
[34] James X. Dempsey, Statement on behalf of the Markle Foundation
Task Force on National Security in the Information Age before the
President's Privacy and Civil Liberties Oversight Board (Washington,
D.C.: Dec. 5, 2006).
[35] OECD, Guidelines on the Protection of Privacy and Transborder Flow
of Personal Data (Sept. 23, 1980). The OECD plays a prominent role in
fostering good governance in the public service and in corporate
activity among its 30 member countries. It produces internationally
agreed-upon instruments, decisions, and recommendations to promote
rules in areas where multilateral agreement is necessary for individual
countries to make progress in the global economy.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site.
To have GAO e-mail you a list of newly posted products every afternoon,
go to www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125
Washington, D.C. 20548:
Public Affairs:
Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548:
