Homeland Security

Continuing Attention to Privacy Concerns is Needed as Programs Are Developed Gao ID: GAO-07-630T March 21, 2007

Advances in information technology make it easier than ever for the Department of Homeland Security (DHS) and other agencies to obtain and process information about citizens and residents in many ways and for many purposes. The demands of the war on terror also drive agencies to extract as much value as possible from the information available to them, adding to the potential for compromising privacy. Recognizing that securing the homeland and protecting the privacy rights of individuals are both important goals, the Congress has asked GAO to perform several reviews of DHS programs and their privacy implications over the past several years. For this hearing, GAO was asked to testify on key privacy challenges facing DHS. To address this issue, GAO identified and summarized issues raised in its previous reports on privacy and assessed recent governmentwide privacy guidance.

As it develops and participates in important homeland security activities, DHS faces challenges in ensuring that privacy concerns are addressed early, are reassessed when key programmatic changes are made, and are thoroughly reflected in guidance on emerging technologies and uses of personal data. GAO's reviews of DHS programs have identified cases where these challenges were not fully met. For example, increased use by federal agencies of data mining--the analysis of large amounts of data to uncover hidden patterns and relationships--has been accompanied by uncertainty regarding privacy requirements and oversight of such systems. As described in a recent GAO report, DHS did not assess privacy risks in developing a data mining tool known as ADVISE (Analysis, Dissemination, Visualization, Insight, and Semantic Enhancement), as required by the E-Government Act of 2002. ADVISE is a data mining tool under development intended to help the department analyze large amounts of information. Because privacy had not been assessed and mitigating controls had not been implemented, DHS faced the risk that uses of ADVISE in systems containing personal information could require costly and potentially duplicative retrofitting at a later date to add the needed controls. GAO has also reported on privacy challenges experienced by DHS in reassessing privacy risks when key programmatic changes were made during development of a prescreening program for airline passengers. The Transportation Security Administration (TSA) has been working to develop a computer-assisted passenger prescreening system, known as Secure Flight, to be used to evaluate passengers before they board an aircraft on domestic flights. GAO reported that TSA had not fully disclosed uses of personal information during testing of Secure Flight, as required by the Privacy Act of 1974. To prevent such problems from recurring, TSA officials recently said that they have added privacy experts to Secure Flight's development teams to address privacy considerations on a continuous basis as they arise. Another challenge DHS faces is ensuring that privacy considerations are addressed in the emerging information sharing environment. The Intelligence Reform and Terrorism Prevention Act of 2004 requires the establishment of an environment to facilitate the sharing of terrorism information, as well as the issuance of privacy guidelines for operation in this environment. Recently issued privacy guidelines developed by the Office of the Director of National Intelligence provide only a high-level framework for privacy protection. While DHS is only one participant, it has the responsibility to ensure that the information under its control is shared with other organizations in ways that adequately protect privacy. Accordingly, it will be important for the department to clearly establish departmental guidelines so that privacy protections are implemented properly and consistently.

GAO-07-630T, Homeland Security: Continuing Attention to Privacy Concerns is Needed as Programs Are Developed This is the accessible text file for GAO report number GAO-07-630T entitled 'Homeland Security: Continuing Attention to Privacy Concerns is Needed as Programs Are Developed' which was released on March 21, 2007. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Testimony: Before the Subcommittee on Homeland Security, Committee on Appropriations, House of Representatives: For Release on Delivery: Expected at 10:00 a.m. EDT Wednesday, March 21, 2007: Homeland Security: Continuing Attention to Privacy Concerns is Needed as Programs Are Developed: Statement of Linda D. Koontz: Director, Information Management Issues: GAO-07-630T: GAO Highlights: Highlights of GAO-07-630T, a testimony before the Subcommittee on Homeland Security, Committee on Appropriations, House of Representatives Why GAO Did This Study: Advances in information technology make it easier than ever for the Department of Homeland Security (DHS) and other agencies to obtain and process information about citizens and residents in many ways and for many purposes. The demands of the war on terror also drive agencies to extract as much value as possible from the information available to them, adding to the potential for compromising privacy. Recognizing that securing the homeland and protecting the privacy rights of individuals are both important goals, the Congress has asked GAO to perform several reviews of DHS programs and their privacy implications over the past several years. For this hearing, GAO was asked to testify on key privacy challenges facing DHS. To address this issue, GAO identified and summarized issues raised in its previous reports on privacy and assessed recent governmentwide privacy guidance. What GAO Found: As it develops and participates in important homeland security activities, DHS faces challenges in ensuring that privacy concerns are addressed early, are reassessed when key programmatic changes are made, and are thoroughly reflected in guidance on emerging technologies and uses of personal data. GAO‘s reviews of DHS programs have identified cases where these challenges were not fully met. For example, increased use by federal agencies of data mining”the analysis of large amounts of data to uncover hidden patterns and relationships”has been accompanied by uncertainty regarding privacy requirements and oversight of such systems. As described in a recent GAO report, DHS did not assess privacy risks in developing a data mining tool known as ADVISE (Analysis, Dissemination, Visualization, Insight, and Semantic Enhancement), as required by the E-Government Act of 2002. ADVISE is a data mining tool under development intended to help the department analyze large amounts of information. Because privacy had not been assessed and mitigating controls had not been implemented, DHS faced the risk that uses of ADVISE in systems containing personal information could require costly and potentially duplicative retrofitting at a later date to add the needed controls. GAO has also reported on privacy challenges experienced by DHS in reassessing privacy risks when key programmatic changes were made during development of a prescreening program for airline passengers. The Transportation Security Administration (TSA) has been working to develop a computer-assisted passenger prescreening system, known as Secure Flight, to be used to evaluate passengers before they board an aircraft on domestic flights. GAO reported that TSA had not fully disclosed uses of personal information during testing of Secure Flight, as required by the Privacy Act of 1974. To prevent such problems from recurring, TSA officials recently said that they have added privacy experts to Secure Flight‘s development teams to address privacy considerations on a continuous basis as they arise. Another challenge DHS faces is ensuring that privacy considerations are addressed in the emerging information sharing environment. The Intelligence Reform and Terrorism Prevention Act of 2004 requires the establishment of an environment to facilitate the sharing of terrorism information, as well as the issuance of privacy guidelines for operation in this environment. Recently issued privacy guidelines developed by the Office of the Director of National Intelligence provide only a high-level framework for privacy protection. While DHS is only one participant, it has the responsibility to ensure that the information under its control is shared with other organizations in ways that adequately protect privacy. Accordingly, it will be important for the department to clearly establish departmental guidelines so that privacy protections are implemented properly and consistently. What GAO Recommends: Because GAO has already made privacy-related recommendations in its earlier reports, it is making no further recommendations at this time. Officials have taken action or have said they are in the process of taking action to address the recommendations. Implementation is critical to ensuring that privacy protections are in place throughout key DHS programs and activities. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-630T. To view the full product, including the scope and methodology, click on the link above. For more information, contact Linda Koontz at (202) 512- 6240 or koontzL@gao.gov. [End of section] Mr. Chairman and Members of the Subcommittee: I appreciate the opportunity to be here today to discuss issues in enhancing personal privacy while meeting homeland security needs. As the federal government obtains and processes personal information[Footnote 1] about citizens and residents in increasingly diverse ways to better secure our homeland, it is important that this information be properly protected and the privacy rights of individuals respected. Advances in information technology make it easier than ever for the Department of Homeland Security (DHS) and other agencies to acquire data on individuals, analyze it for a variety of purposes, and share it with other governmental and nongovernmental entities. Further, the demands of the war on terror drive agencies to extract as much value as possible from the information available to them, adding to the potential for compromising privacy. Given that securing the homeland and protecting the privacy rights of individuals are both important goals, it is incumbent on the government to find ways to do both well without compromising either. As requested, my statement will focus on key privacy challenges facing DHS as it develops systems and methods for fighting the war on terror. After a brief description of the laws and guidance that apply to federal agency use of personal information, I will summarize our work on key programs and activities in which privacy considerations have been prominent, including data mining, passenger prescreening, use of commercial data, and radio frequency identification technology. I will also comment on the department's role in participating in the governmentwide information sharing environment, which is being established by the administration to facilitate the sharing of terrorism information among governmental entities.[Footnote 2] To address key privacy challenges facing DHS, we identified and summarized issues raised in our previous reports on privacy, including our work on data mining,[Footnote 3] passenger prescreening,[Footnote 4] commercial data,[Footnote 5] and radio frequency identification applications.[Footnote 6] We also assessed recent governmentwide privacy guidance for the information sharing environment and identified privacy challenges DHS is likely to face as a participant. We conducted our work in accordance with generally accepted government auditing standards. To provide additional information on our previous privacy- related work, I have included, as attachment 1, a list of pertinent GAO publications. Results in Brief: As it develops and participates in important homeland security activities, DHS faces challenges in ensuring that privacy concerns are addressed early, are reassessed when key programmatic changes are made, and are thoroughly reflected in guidance on emerging technologies and uses of personal data. Our reviews of DHS programs have identified cases where these challenges were not fully met. For example: * Ensuring that data mining efforts do not compromise privacy protections. Increased use by federal agencies of data mining--the analysis of large amounts of data to uncover hidden patterns and relationships--has been accompanied by uncertainty regarding privacy requirements and oversight of such systems. For example, as described in our recent report,[Footnote 7] DHS did not assess privacy risks in developing a data mining tool known as ADVISE (Analysis, Dissemination, Visualization, Insight, and Semantic Enhancement), as required by the E- Government Act of 2002. Because privacy had not been assessed and mitigating controls had not been implemented, DHS faced the risk that ADVISE-based systems containing personal information could require costly and potentially duplicative retrofitting at a later date to add the needed controls. Accordingly, we recommended that DHS immediately conduct a privacy impact assessment of the ADVISE tool to identify privacy risks and implement privacy controls to mitigate those risks. In its comments DHS stated that it is currently developing a "Privacy Technology Implementation Guide" to be used to conduct a PIA. * Ensuring privacy protection in developing and implementing prescreening programs for airline passengers. In accordance with a requirement set forth in the Aviation and Transportation Security Act, the Transportation Security Administration (TSA) has been working to develop a computer-assisted passenger prescreening system, known as Secure Flight, to be used to evaluate passengers before they board an aircraft domestically. In previous work, we reported that TSA had not fully disclosed uses of personal information during testing of Secure Flight, as required by the Privacy Act of 1974. To prevent such problems from recurring, TSA officials recently said that they have added privacy experts to Secure Flight's development teams to address privacy considerations on a continuous basis as they arise. * Controlling the collection and use of personal information obtained from commercial sources, known as "information resellers." A major task confronting federal agencies, especially those engaged in antiterrorism tasks, is to ensure that information obtained from resellers is being appropriately used and protected. In previous work, we reported that agencies were uncertain about the applicability of privacy requirements to this information, which led to inconsistencies in how it was treated. For example, public notices required by the Privacy Act did not always disclose the use of information from resellers. We recommended that DHS develop a policy concerning the use of such information, which according to the DHS Privacy Office is currently in draft. * Ensuring that applications using radio frequency identification technology (RFID) protect privacy consistently. RFID technology uses wireless communication to transmit data and thus electronically identify, track, and store information on tags attached to or embedded in objects. Our recent work on US-VISIT[Footnote 8]--a DHS program to collect data on selected foreign nationals entering and exiting the United States--identified problems with the use of RFID for human identification.[Footnote 9] Although the Secretary of Homeland Security has announced that RFID use by US-VISIT is to be discontinued, another DHS border control program, the Western Hemisphere Travel Initiative, still plans to use the technology. Without departmental guidance on the use of RFID, DHS programs may use the technology inconsistently, potentially creating unnecessary privacy risks. According to the DHS Privacy Office, it is considering developing guidance to address the use of specific technologies, including RFID. * Ensuring that privacy considerations are addressed consistently and effectively in the information sharing environment. As directed by the Intelligence Reform and Terrorism Prevention Act of 2004, the administration has taken steps, beginning in 2005, to establish an information sharing environment to facilitate the sharing of terrorism information. However, privacy guidelines recently issued for the information sharing environment provide only a high-level framework for ensuring privacy protection and do not address how the collection of information is to be limited. Because DHS participates in the information sharing environment, potentially sharing information with many other intelligence and law enforcement entities both within and outside the federal government, it will be important for the department to ensure that departmental guidelines are clearly established so that privacy protections are implemented properly and consistently. We have made recommendations to DHS in several of these areas to ensure that privacy issues are adequately addressed, and officials have taken action or told us they are in the process of taking action to address them. Implementation of these recommendations is critical to ensuring that privacy protections are in place throughout key DHS programs and activities. Background: Federal Laws and Guidance Govern Use of Personal Information in Federal Agencies: The major requirements for the protection of personal privacy by federal agencies are specified in two laws, the Privacy Act of 1974 and the E-Government Act of 2002. The Federal Information Security Management Act of 2002 (FISMA) also addresses the protection of personal information in the context of securing federal agency information and information systems. The Privacy Act places limitations on agencies' collection, disclosure, and use of personal information maintained in systems of records. The act describes a "record" as any item, collection, or grouping of information about an individual that is maintained by an agency and contains his or her name or another personal identifier. It also defines "system of records" as a group of records under the control of any agency from which information is retrieved by the name of the individual or by an individual identifier. The Privacy Act requires that when agencies establish or make changes to a system of records, they must notify the public by a "system-of-records notice" that is, a notice in the Federal Register identifying, among other things, the type of data collected, the types of individuals about whom information is collected, the intended "routine" uses of data, and procedures that individuals can use to review and correct personal information.[Footnote 10] Among other provisions, the act also requires agencies to define and limit themselves to specific predefined purposes. For example, the act requires that to the greatest extent practicable, personal information should be collected directly from the subject individual when it may affect an individual's rights or benefits under a federal program. The provisions of the Privacy Act are largely based on a set of principles for protecting the privacy and security of personal information, known as the Fair Information Practices, which were first proposed in 1973 by a U.S. government advisory committee;[Footnote 11] these principles were intended to address what the committee termed a poor level of protection afforded to privacy under contemporary law. Since that time, the Fair Information Practices have been widely adopted as a standard benchmark for evaluating the adequacy of privacy protections. Attachment 2 contains a summary of the widely used version of the Fair Information Practices adopted by the Organization for Economic Cooperation and Development in 1980. The E-Government Act of 2002 strives to enhance protection for personal information in government information systems and information collections by requiring that agencies conduct privacy impact assessments (PIA). A PIA is an analysis of how personal information is collected, stored, shared, and managed in a federal system. More specifically, according to Office of Management and Budget (OMB) guidance,[Footnote 12] a PIA is to (1) ensure that handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (2) determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and (3) examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. Agencies must conduct PIAs (1) before developing or procuring information technology that collects, maintains, or disseminates information that is in a personally identifiable form, or (2) before initiating any new data collections involving personal information that will be collected, maintained, or disseminated using information technology if the same questions are asked of 10 or more people. To the extent that PIAs are made publicly available,[Footnote 13] they provide explanations to the public about such things as the information that will be collected, why it is being collected, how it is to be used, and how the system and data will be maintained and protected. FISMA also addresses the protection of personal information. It defines federal requirements for securing information and information systems that support federal agency operations and assets; it requires agencies to develop agencywide information security programs that extend to contractors and other providers of federal data and systems.[Footnote 14] Under FISMA, information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction, including controls necessary to preserve authorized restrictions on access and disclosure to protect personal privacy. To oversee its implementation of privacy protections, DHS has established a Chief Privacy Officer, as directed by the Homeland Security Act of 2002.[Footnote 15] According to the act, the Chief Privacy Officer is responsible for, among other things, "assuring that the use of technologies sustain[s], and do[es] not erode privacy protections relating to the use, collection, and disclosure of personal information," and "assuring that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices as set out in the Privacy Act of 1974." Privacy Considerations Need Continuing Attention As Programs and Systems Are Developed: As it develops and participates in important homeland security activities, DHS faces challenges in ensuring that privacy concerns are addressed early, are reassessed when key programmatic changes are made, and are thoroughly reflected in guidance on emerging technologies and uses of personal data. Our reviews of DHS programs have identified cases where these challenges were not fully met, including data mining, airline passenger prescreening, use of data from commercial sources, use of personal identification technologies (especially RFID), and development of an information sharing environment. I will now discuss each of these subjects in greater detail. Ensuring that Data Mining Efforts Do Not Compromise Privacy Protections: Many concerns have been raised about the potential for data mining programs to compromise personal privacy. In our May 2004 report on federal data mining efforts, we defined data mining as the application of database technology and techniques--such as statistical analysis and modeling--to uncover hidden patterns and subtle relationships in data and to infer rules that allow for the prediction of future results.[Footnote 16] As we noted in our report, mining government and private databases containing personal information raises a range of privacy concerns. In the government, data mining was initially used to detect financial fraud and abuse. However, its use has greatly expanded. Among other purposes, data mining has been used increasingly as a tool to help detect terrorist threats through the collection and analysis of public and private sector data. Through data mining, agencies can quickly and efficiently obtain information on individuals or groups from large databases containing personal information aggregated from public and private records. Information can be developed about a specific individual or a group of individuals whose behavior or characteristics fit a specific pattern. For example, terrorists can be tracked through travel and immigration records, and potential terrorist-related activities, including money transfers and communications, can be pinpointed. The ease with which organizations can use automated systems to gather and analyze large amounts of previously isolated information raises concerns about the impact on personal privacy. As a July 2006 report by the DHS Privacy Office points out, "privacy and civil liberties issues potentially arise in every phase of the data mining process."[Footnote 17] Potential privacy risks include improper access or disclosure of personal information, erroneous associations of individuals with undesirable activities, misidentification of individuals with similar names, and misuse of data that were collected for other purposes. Our recent report notes that early attention to privacy in developing a data mining tool known as ADVISE (Analysis, Dissemination, Visualization, Insight, and Semantic Enhancement) could reduce risks that personal information could be misused.[Footnote 18] ADVISE is a data mining tool under development intended to help DHS analyze large amounts of information. It is designed to allow an analyst to search for patterns in data--such as relationships among people, organizations, and events--and to produce visual representations of these patterns, referred to as semantic graphs. The intended benefit of the ADVISE tool is to help detect threatening activities by facilitating the analysis of large amounts of data. Although the tool is being considered for several different applications within DHS, none of them are yet operational. DHS is currently in the process of testing the tool's effectiveness. DHS did not conduct a PIA as it developed the ADVISE tool, as required by the E-Government Act of 2002. A PIA, if it had been completed, would identify specific privacy risks and help officials determine what controls were needed to mitigate those risks. DHS officials believed that ADVISE did not need to undergo such an assessment because the tool itself did not contain personal data. However, the intended uses of the tool included personal data, and the E-Government Act and related guidance emphasize the need to assess privacy risks early in system development. Further, if an assessment were conducted and privacy risks identified, a number of controls could be built into the tool to mitigate those risks. Because privacy had not been assessed and mitigating controls had not been implemented, the department faced the risk that systems based on ADVISE that also contained personal information could require costly and potentially duplicative retrofitting to add the needed controls. We made recommendations to DHS to conduct a PIA of the ADVISE tool and implement privacy controls, as needed, to mitigate any identified risks. In its comments, DHS stated that it is currently developing a "Privacy Technology Implementation Guide" to be used to conduct a PIA. Broadly considered, data mining is a tool that has the potential to provide valuable assistance to analysts and investigators as they pursue the war on terror. However, it has been challenging for DHS to thoroughly consider and address privacy concerns early enough in its attempts to develop data mining tools and applications. As the department moves forward with ADVISE and other data mining activities, close attention to privacy will remain a critical concern. Ensuring Privacy Protection in Developing and Implementing Prescreening Programs for Airline Passengers: An example of the importance of ongoing attention to privacy can be taken from TSA's development of passenger prescreening programs. TSA is responsible for securing all modes of transportation while facilitating commerce and the freedom of movement for the traveling public. Passenger prescreening is one program among many that TSA uses to secure the domestic aviation sector. The process of prescreening passengers--that is, determining whether airline passengers might pose a security risk before they reach the passenger-screening checkpoint-- is used to focus security efforts on those passengers that represent the greatest potential threat. In accordance with a requirement set forth in the Aviation and Transportation Security Act, TSA has been working since 2003 to develop a computer-assisted passenger prescreening system to be used to evaluate passengers before they board an aircraft on domestic flights. An early version of that system, known as the Computer-Assisted Passenger Prescreening System II, was canceled in 2004 based in part on concerns about privacy and other issues expressed by us and others.[Footnote 19] In its place, TSA announced a new passenger prescreening program, called Secure Flight, that would be narrower in scope and designed to avoid problems that had been raised about the previous program. Aspects of the new Secure Flight system underwent development and testing in 2005. In July 2005, we reported on privacy problems associated with testing of Secure Flight.[Footnote 20] In 2004, TSA had issued privacy notices in the Federal Register that included descriptions of how personal information drawn from commercial sources would be used during planned upcoming tests. However, these notices did not fully inform the public about the procedures that TSA and its contractors would follow for collecting, using, and storing commercial data. In addition, the scope of the data used during commercial data testing was not fully disclosed. Specifically, a contractor, acting on behalf of the agency, collected more than 100 million commercial data records containing personal information such as name, date of birth, and telephone number without informing the public. As a result, the public did not receive the full protections of the Privacy Act. In its comments on our findings, DHS stated that it recognized the merits of the issues we raised, and that TSA had acted immediately to address them. The privacy problems faced in developing Secure Flight arose not because it was prohibitively difficult to protect privacy while prescreening airline passengers, but because TSA had not reassessed privacy risks when key programmatic changes were made and taken appropriate steps to mitigate them. Recently, TSA officials stated that as they work to restructure the Secure Flight program, they plan a more privacy-enhanced program by addressing concerns identified by us and others. For example, officials stated that the program no longer plans to use commercial data. Officials also stated that they have added privacy experts to the system development teams to address privacy issues as they arise. It is encouraging that TSA is now including privacy experts within its development teams, with the express goal of continuously monitoring privacy concerns. We will continue to assess TSA's efforts to manage system privacy protections as part of our ongoing review of the program. Controlling the Collection and Use of Personal Information Obtained from Information Resellers: A major task confronting federal agencies, especially those engaged in antiterrorism tasks, is to ensure that information obtained from resellers is being appropriately used and protected. In fiscal year 2005, DHS reported planning to spend about $9 million on acquiring personal information from information resellers.[Footnote 21] The information was acquired chiefly for law enforcement purposes, such as developing leads on subjects in criminal investigations, and for detecting fraud in immigration benefit applications (part of enforcing the immigration laws). For example, the agency's largest investigative component, U.S. Immigration and Customs Enforcement--the largest user of personal information from resellers--collects data such as address and vehicle information for criminal investigations and background security checks. DHS also reported using information resellers in its counterterrorism efforts. For example, as already discussed, TSA used data obtained from information resellers as part of a test associated with the development of Secure Flight. In our report on the acquisition of personal information from resellers by agencies such as DHS, we noted that the agencies' practices for handling this information did not always reflect the Fair Information Practices.[Footnote 22] For example, system-of-records notices issued by these agencies did not always state that agency systems could incorporate information from data resellers, a practice inconsistent with the principle that the purpose for a collection of personal data should be disclosed beforehand and its use limited to that purpose. Furthermore, accountability was not ensured, as the agencies did not generally monitor usage of personal information from resellers; instead, they relied on end users to be responsible for their own behavior. Contributing to the uneven application of the Fair Information Practices was a lack of agency policies, including at DHS, that specifically address these uses. Reliance on information from resellers is an emerging use of personal data for which the government has been challenged to develop appropriate guidance. We recommended that DHS and other agencies develop specific policies, reflecting the Fair Information Practices, for the collection, maintenance, and use of personal information obtained from resellers. According to the DHS Privacy Office, while a policy governing the department's use of commercial data is being drafted, the document has not yet been issued. Until the department issues clear guidance on this use, it faces the risk that appropriate privacy protections may not be in place consistently across its programs and applications. Ensuring that Applications Using RFID Technology Protect Privacy Consistently: RFID is an automated data-capture technology that can be used to electronically identify, track, and store information contained on a tag. The tag can be attached to or embedded in the object to be identified, such as a product, case, or pallet. RFID technology provides identification and tracking capabilities by using wireless communication to transmit data. In May 2005, we reported that major initiatives at federal agencies that use or propose to use the technology included physical access controls and tracking assets, documents, or materials.[Footnote 23] For example, DHS was using RFID to track and identify assets, weapons, and baggage on flights. The Department of Defense was also using it to track shipments. In our May 2005 report we identified several privacy issues related to both commercial and federal use of RFID technology. Among these privacy issues is the potential for the technology to be used inappropriately for tracking an individual's movements, habits, tastes, or predilections. Tracking is real-time or near-real-time surveillance in which a person's movements are followed through RFID scanning.) Public surveys have identified a distinct unease with the potential ability of the federal government to monitor individuals' movements and transactions.[Footnote 24] Like tracking, profiling--the reconstruction of a person's movements or transactions over a specific period of time, usually to ascertain something about the individual's habits, tastes, or predilections--could also be undertaken through the use of RFID technology. Once a particular individual is identified through an RFID tag, personally identifiable information can be retrieved from any number of sources and then aggregated to develop a profile of the individual. Both tracking and profiling can compromise an individual's privacy. Concerns also have been raised that organizations could develop secondary uses for the information gleaned through RFID technology; this has been referred to as mission or function "creep." The history of the Social Security number, for example, gives ample evidence of how an identifier developed for one specific use has become a mainstay of identification for many other purposes, governmental and nongovernmental.[Footnote 25] Secondary uses of the Social Security number have been a matter not of technical controls but rather of changing policy and administrative priorities.[Footnote 26] DHS uses and has made plans to use RFID technology to track individuals in several border security programs. This has been met with concern from the DHS Data Privacy and Integrity Advisory Committee, which reiterated our concerns that employing the technology for human identification poses privacy risks, including notice problems and potential for secondary use. One program that planned to make use of RFID was the US-VISIT program, a multibillion dollar program that collects, maintains, and shares information on selected foreign nationals who enter and exit the United States at over 300 ports of entry around the country. The incorporation of RFID into the program arose from the agency's requirement for a less costly alternative to biometric verification of visitors exiting the country. We recently testified that US-VISIT RFID tests revealed numerous performance and reliability problems.[Footnote 27] For example, the readers placed to detect identifying tags failed to do so for a majority of the RFID tags.[Footnote 28] Faced with these test results, the Secretary of Homeland Security recently stated that the agency would cancel the use of RFID for US-VISIT. However, despite having rejected RFID for US-VISIT, the department has endorsed the technology for another border control initiative, the proposed PASSport (People Access Security Service) system identification card, which is part of the Western Hemisphere Travel Initiative. The RFID-enabled PASSport card would serve as an alternative to a traditional passport for use by U.S. citizens who cross the land borders and travel by sea between the United States, Canada, Mexico, the Caribbean, or Bermuda.[Footnote 29] The department's varying approaches to the use of RFID for human identification suggests the need for a departmentwide policy that fully addresses privacy concerns. Unless DHS issues comprehensive guidance to direct the development and implementation of new technologies such as RFID, it faces the risk that appropriate privacy protections may not be implemented consistently across its programs and applications. According to the DHS Privacy Office, it is considering developing guidance to address the use of specific technologies, including RFID. Ensuring that Privacy Considerations are Addressed Consistently and Effectively in the Information Sharing Environment: The challenges that DHS faces in protecting privacy extend beyond the need to consider and address privacy issues while developing its own programs and systems. The department also interacts with many other intelligence and law enforcement entities, both within and outside the federal government, and potentially shares information with them all. As with its own programs and systems, it will be important for DHS to ensure that privacy has been thoroughly considered and guidelines clearly established as it participates in the emerging information sharing environment. As directed by the Intelligence Reform and Terrorism Prevention Act of 2004,[Footnote 30] the administration has taken steps, beginning in 2005, to establish an information sharing environment to facilitate the sharing of terrorism information. The direction to establish an information sharing environment was driven by the recognition that before the attacks of September 11, 2001, federal agencies had been unable to effectively share information about suspected terrorists and their activities. In addressing this problem, the National Commission on Terrorist Attacks Upon the United States (9/11 Commission) recommended that the sharing and uses of information be guided by a set of practical policy guidelines that would simultaneously empower and constrain officials, closely circumscribing what types of information they would be permitted to share as well as the types they would need to protect. Exchanging terrorism-related information continues to be a significant challenge for federal, state, and local governments--one that we recognize is not easily addressed. Accordingly, since January 2005, we have designated information sharing for homeland security a high-risk area.[Footnote 31] In developing guidelines for the information sharing environment, there has been general agreement that privacy considerations must be addressed. The Intelligence Reform Act called for the issuance of guidelines to protect privacy and civil liberties in the development and use of the information sharing environment, and the President reiterated that requirement in an October 2005 directive to federal departments and agencies. Based on the President's directive, a committee within the Office of the Director of National Intelligence was established to develop such guidelines, and they were approved by the President in November 2006.[Footnote 32] According to its annual report for 2004-2006, the DHS Privacy Office has played a role in developing these guidelines.[Footnote 33] However, the guidelines as issued provide only a high-level framework for addressing privacy protection and do not include all of the Fair Information Practices. The 9-page document includes statements of principles, such as "purpose specification," "data quality," "data security," and "accountability, enforcement, and audit" that align with certain elements of the Fair Information Practices, but it provides little or no guidance on how these principles are to be implemented and does not address another key practice--limiting the collection of personal information. For example, as the policy director of the Center for Democracy and Technology has pointed out, a number of principles mentioned in the guidelines do not include any specificity on how they should be carried out.[Footnote 34] The guidelines call for agencies to "take appropriate steps" when merging information about an individual from two or more sources to ensure that the information is about the same individual, but they give no indication of what steps would be adequate to achieve this goal. For example, no guidance is provided on gauging the reliability of sources or determining the minimum amount of information needed to determine that different sources are referring to the same individual. Likewise, the guidelines direct agencies to implement adequate review and audit mechanisms to ensure compliance with the guidelines but, again, do not specify the nature of these mechanisms, which could include, for example, the use of electronic audit logs that cannot be changed by individuals. Finally, the guidelines also direct agencies to put in place internal procedures to address complaints from persons regarding protected information about them that is under the agency's control. No further guidance is provided about the essential elements of a complaint process or what sort of remedies to provide. According to the DHS Privacy Office, individual agencies, including DHS, are to develop specific guidelines that implement the high-level framework embodied in the governmentwide guidelines. However, no overall DHS guidance on the protection of privacy within the context of the information sharing environment has yet been developed. According to the Privacy Office, an effort is currently being initiated to develop such guidance. While DHS is only one participant in the governmentwide information sharing environment, it has the responsibility to ensure that the information under its control is shared with other organizations in ways that adequately protect privacy. Until it adopts specific implementation guidelines, the department will face the risk that its information sharing activities may not protect privacy adequately. In summary, DHS faces continuing challenges in ensuring that privacy concerns are addressed early, are reassessed when key programmatic changes are made, and are thoroughly reflected in guidance on emerging technologies and uses of personal data. We have made recommendations previously regarding ADVISE, Secure Flight, and use of information resellers, and officials have taken action or told us they are taking action to address our recommendations. Implementation of these recommendations is critical to ensuring that privacy protections are in place throughout key DHS programs and activities. Likewise, issuing guidance for participation in the information sharing environment will also be critical to ensure implementation of consistent, appropriate protections across the department. Mr. Chairman, this concludes my testimony today. I would be happy to answer any questions you or other members of the subcommittee may have. Contacts and Acknowledgements: If you have any questions concerning this testimony, please contact Linda Koontz, Director, Information Management, at (202) 512-6240, or koontzl@gao.gov. Other individuals who made key contributions include Barbara Collier, Susan Czachor, John de Ferrari, Timothy Eagle, David Plocher, and Jamie Pressman. Attachment I: Selected GAO Products Related to Privacy Issues: Data Mining: Early Attention to Privacy in Developing a Key DHS Program Could Reduce Risks. GAO-07-293. Washington, D.C.: February 28, 2007. Aviation Security: Progress Made in Systematic Planning to Guide Key Investment Decisions, but More Work Remains. GAO-07-448T. Washington, D.C.: February 13, 2007. Border Security: US-VISIT Program Faces Strategic, Operational, and Technological Challenges at Land Ports of Entry. GAO-07-248. Washington, D.C.: December 6, 2006. Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data. GAO-06-674. Washington, D.C.: June 26, 2006. Veterans Affairs: Leadership Needed to Address Information Security Weaknesses and Privacy Issues. GAO-06-866T. Washington, D.C.: June 14, 2006. Privacy: Preventing and Responding to Improper Disclosures of Personal Information. GAO-06-833T. Washington, D.C.: June 8, 2006. Privacy: Key Challenges Facing Federal Agencies. GAO-06-777T. Washington, D.C.: May 17, 2006. Personal Information: Agencies and Resellers Vary in Providing Privacy Protections. GAO-06-609T. Washington, D.C.: April 4, 2006. Personal Information: Agency and Reseller Adherence to Key Privacy Principles. GAO-06-421. Washington, D.C.: April 4, 2006. Information Sharing: The Federal Government Needs to Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified Information. GAO-06-385. Washington, D.C.: March 17, 2006. Data Mining: Agencies Have Taken Key Steps to Protect Privacy in Selected Efforts, but Significant Compliance Issues Remain. GAO-05-866. Washington, D.C.: August 15, 2005. Aviation Security: Transportation Security Administration Did Not Fully Disclose Uses of Personal Information during Secure Flight Program Testing in Initial Privacy Notices, but Has Recently Taken Steps to More Fully Inform the Public. GAO-05-864R. Washington, D.C.: July 22, 2005. Identity Theft: Some Outreach Efforts to Promote Awareness of New Consumer Rights are Under Way. GAO-05-710. Washington, D.C.: June 30, 2005. Information Security: Radio Frequency Identification Technology in the Federal Government. GAO-05-551. Washington, D.C.: May 27, 2005. Aviation Security: Secure Flight Development and Testing Under Way, but Risks Should Be Managed as System is Further Developed. GAO-05-356. Washington, D.C.: March 28, 2005. Social Security Numbers: Governments Could Do More to Reduce Display in Public Records and on Identity Cards. GAO-05-59. Washington, D.C.: November 9, 2004. Data Mining: Federal Efforts Cover a Wide Range of Uses, GAO-04-548. Washington, D.C.: May 4, 2004. Aviation Security: Computer-Assisted Passenger Prescreening System Faces Significant Implementation Challenges. GAO-04-385. Washington, D.C.: February 12, 2004. Privacy Act: OMB Leadership Needed to Improve Agency Compliance. GAO- 03-304. Washington, D.C.: June 30, 2003. Data Mining: Results and Challenges for Government Programs, Audits, and Investigations. GAO-03-591T. Washington, D.C.: March 25, 2003. Technology Assessment: Using Biometrics for Border Security. GAO-03- 174. Washington, D.C.: November 15, 2002. Information Management: Selected Agencies' Handling of Personal Information. GAO-02-1058. Washington, D.C.: September 30, 2002. Identity Theft: Greater Awareness and Use of Existing Data Are Needed. GAO-02-766. Washington, D.C.: June 28, 2002. Social Security Numbers: Government Benefits from SSN Use but Could Provide Better Safeguards. GAO-02-352. Washington, D.C.: May 31, 2002. Attachment 2: The Fair Information Practices: The Fair Information Practices are not precise legal requirements. Rather, they provide a framework of principles for balancing the need for privacy with other public policy interests, such as national security, law enforcement, and administrative efficiency. Ways to strike that balance vary among countries and according to the type of information under consideration. The version of the Fair Information Practices shown in table 1 was issued by the Organization for Economic Cooperation and Development (OECD) in 1980[Footnote 35] and has been widely adopted. Table 1: The Fair Information Practices: Principle: Collection limitation; Description: The collection of personal information should be limited, should be obtained by lawful and fair means, and, where appropriate, with the knowledge or consent of the individual. Principle: Data quality; Description: Personal information should be relevant to the purpose for which it is collected, and should be accurate, complete, and current as needed for that purpose. Principle: Purpose specification; Description: The purposes for the collection of personal information should be disclosed before collection and upon any change to that purpose, and its use should be limited to those purposes and compatible purposes. Principle: Use limitation; Description: Personal information should not be disclosed or otherwise used for other than a specified purpose without consent of the individual or legal authority. Principle: Security safeguards; Description: Personal information should be protected with reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure. Principle: Openness; Description: The public should be informed about privacy policies and practices, and individuals should have ready means of learning about the use of personal information. Principle: Individual participation; Description: Individuals should have the following rights: to know about the collection of personal information, to access that information, to request correction, and to challenge the denial of those rights. Principle: Accountability; Description: Individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these principles. Source: Organization for Economic Cooperation and Development. [End of table] FOOTNOTES [1] For purposes of this testimony, the term personal information encompasses all information associated with an individual, including personally identifiable information, which refers to any information about an individual maintained by an agency that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. [2] For more information, see GAO, Information Sharing: The Federal Government Needs to Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified Information, GAO-06- 385 (Washington, D.C.: Mar. 17, 2006). [3] GAO, Data Mining: Early Attention to Privacy in Developing a Key DHS Program Could Reduce Risks, GAO-07-293 (Washington, D.C.: Feb. 28, 2007) and Data Mining: Agencies Have Taken Key Steps to Protect Privacy in Selected Efforts, but Significant Compliance Issues Remain, GAO-05- 866 (Washington, D.C.: Aug. 15, 2005). [4] GAO, Aviation Security: Progress Made in Systematic Planning to Guide Key Investment Decisions, but More Work Remains, GAO-07-448T (Washington, D.C.: Feb. 13, 2007) and Aviation Security: Transportation Security Administration Did Not Fully Disclose Uses of Personal Information during Secure Flight Program Testing in Initial Privacy Notices, but Has Recently Taken Steps to More Fully Inform the Public, GAO-05-864R (Washington, D.C.: July 22, 2005). [5] GAO, Personal Information: Agency and Reseller Adherence to Key Privacy Principles, GAO-06-421 (Washington: D.C.: Apr. 4, 2006). [6] GAO, Information Security: Radio Frequency Identification Technology in the Federal Government, GAO-05-551 (Washington, D.C.: May 27, 2005) and Border Security: US-VISIT Program Faces Strategic, Operational, and Technological Challenges at Land Ports of Entry, GAO- 07-248 (Washington, D.C.: Dec. 6, 2006). [7] GAO-07-293. [8] US-VISIT is an abbreviation for United States Visitor and Immigrant Status Indicator Technology. [9] GAO-07-248. [10] Under the Privacy Act of 1974, the term "routine use" means (with respect to the disclosure of a record) the use of such a record for a purpose that is compatible with the purpose for which it was collected. 5 U.S.C. � 552a(a)(7). [11] Congress used the committee's final report as a basis for crafting the Privacy Act of 1974. See U.S. Department of Health, Education, and Welfare, Records, Computers and the Rights of Citizens: Report of the Secretary's Advisory Committee on Automated Personal Data Systems (Washington, D.C.: July 1973). [12] Office of Management and Budget, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, M-03-22 (Sept. 26, 2003). OMB is tasked with providing guidance to agencies on how to implement the provisions of the E-Government Act, the Privacy Act, and FISMA. [13] The E-Government Act requires agencies, if practicable, to make privacy impact assessments publicly available through agency Web sites, by publication in the Federal Register, or by other means. Pub. L. 107- 347, � 208(b)(1)(B)(iii). [14] FISMA, Title III, E-Government Act of 2002, Pub. L. 107-347 (Dec. 17, 2002). [15] Pub. L. No. 107-296, � 222 (Nov. 25, 2002). [16] GAO, Data Mining: Federal Efforts Cover a Wide Range of Uses, GAO- 04-548 (Washington, D.C.: May 4, 2004). [17] DHS, Data Mining Report: DHS Privacy Office Response to House Report 108-774 (July 6, 2006), p. 12. [18] GAO, Data Mining: Early Attention to Privacy in Developing a Key DHS Program Could Reduce Risks, GAO-07-293 (Wash., D.C.: Feb. 28, 2007). [19] See GAO, Aviation Security: Computer-Assisted Passenger Prescreening System Faces Significant Implementation Challenges, GAO- 04-385 (Washington, D.C.: Feb. 12, 2004). [20] GAO, Aviation Security: Transportation Security Administration Did Not Fully Disclose Uses of Personal Information during Secure Flight Program Testing in Initial Privacy Notices, but Has Recently Taken Steps to More Fully Inform the Public, GAO-05-864R (Washington, D.C.: July 22, 2005). [21] Information resellers are companies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers, which include both private-sector businesses and government agencies. [22] GAO-06-421. [23] GAO, Information Security: Radio Frequency Identification Technology in the Federal Government, GAO-05-551 (Washington, D.C.: May 27, 2005). [24] GAO, Technology Assessment: Using Biometrics for Border Security, GAO-03-174 (Washington, D.C.: Nov. 15, 2002). [25] GAO, Social Security Numbers: Government Benefits from SSN Use but Could Provide Better Safeguards, GAO-02-352 (Washington, D.C.: May 31, 2002). [26] For information on the practices and tools to mitigate these privacy issues, see GAO-05-551, pp. 22-24. [27] GAO, Homeland Security: US-VISIT Has Not Fully Met Expectations and Longstanding Program Management Challenges Need to be Addressed, GAO-07-499T (Washington, D.C.: Feb. 16, 2007). [28] A US-VISIT program official explained that for vehicles exiting during RFID testing, one could "reasonably expect" a read rate of 70 percent. However, as the program office reported, tests conducted at the Blaine-Pacific Highway border station showed readers correctly identifying 14 percent of the travelers' tags. [29] 71 Federal Register 60928-60932 (Oct. 17, 2006). [30] Pub. L. No. 108-458 (Dec. 17, 2004). [31] For more information, see GAO, High-Risk Series: An Update, GAO- 07-310 (Washington, D.C.: Jan. 2007), p. 47, and Information Sharing: The Federal Government Needs to Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified Information, GAO-06-385 (Washington D.C.: Mar. 17, 2006). [32] Information Sharing Environment Program Management Office, Guidelines to Ensure that the Information Privacy and Other Legal Rights of Americans are Protected in the Development and Use of the Information Sharing Environment (Nov. 22, 2006). [33] DHS, Privacy Office Annual Report to Congress July 2004-July 2006 (Washington, D.C.: July 2006). [34] James X. Dempsey, Statement on behalf of the Markle Foundation Task Force on National Security in the Information Age before the President's Privacy and Civil Liberties Oversight Board (Washington, D.C.: Dec. 5, 2006). [35] OECD, Guidelines on the Protection of Privacy and Transborder Flow of Personal Data (Sept. 23, 1980). The OECD plays a prominent role in fostering good governance in the public service and in corporate activity among its 30 member countries. It produces internationally agreed-upon instruments, decisions, and recommendations to promote rules in areas where multilateral agreement is necessary for individual countries to make progress in the global economy. GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to www.gao.gov and select "Subscribe to Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, D.C. 20548: Public Affairs: Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: