Privacy concerns might freeze program profiling terrorism suspects

U.S. Immigration and Customs Enforcement is considering whether to halt part of a program that probes profiles of suspects for links to terrorist activity, after federal auditors found the scope of the initiative violates privacy guidelines, federal officials said Tuesday evening.

The Pattern Analysis and Information Collection program, or ICEPIC, lets agents search data on individuals under investigation to find nonobvious relationships that could indicate illegal activities or terrorist plots. Within a couple of months after ICEPIC's launch in 2008, ICE expanded the $150 million program with a new service to let outside analysts also conduct inquiries. But a privacy review that dictates how the program must handle personal information prohibited external access, stated a Government Accountability Office report released Friday.

The service "provides functionality that is explicitly excluded in the approved privacy impact assessment," David A. Powner, GAO director for information technology and management issues, wrote in the report. The study examined privacy protections for data-mining programs throughout ICE's parent agency, the Homeland Security Department.

Three years ago, ICE turned on the new feature to let other federal, state and local law enforcement authorities search ICEPIC online. The agency, however, neglected to inform overseers or the public about the privacy risks of doing so, because ICE never updated the privacy assessment, as required by law, according to the report.

GAO officials recommended that Homeland Security "investigate whether the information sharing component of ICEPIC, called the Law Enforcement Information Sharing Service, should be deactivated until a [privacy assessment] that includes this component is approved."

Homeland Security officials agreed with the entire recommendation, according to the report, but an enclosed Aug. 19 DHS letter responding to a draft audit did not say whether the service is still in use.

"The chief privacy officer will conduct an investigation," Jim Crumpacker, DHS director of the departmental GAO/Office of Inspector General Liaison Office, wrote in the letter. "The DHS Privacy Office is already coordinating with the U.S. Immigration and Customs Enforcement Privacy Officer and relevant program officials to review and revise the [privacy assessment], as appropriate."

On Tuesday evening, DHS officials said the department is still deciding whether to shutter the information-sharing service.

When that component was first planned, DHS officials determined a privacy assessment update would not be necessary, DHS Deputy Press Secretary Peter Boogaard explained.

"After the GAO review, and in the spirit of transparency, ICE and DHS Privacy are expediting the [privacy assessment] update process referenced in the department's response," he said. "The DHS privacy office is determining possible consequences and mitigation strategies -- including the potential of turning off the system -- for DHS systems in which privacy compliance documentation does not keep up with operational realities."

Department officials acknowledged that their privacy analysis in 2008 likely was not as comprehensive as it should have been.

"Personal information is being shared with multiple law enforcement agencies, but this sharing has not been reported or disclosed," Powner wrote. "In fact, the approved [privacy assessment] states that those outside the agency would not be given direct access to the personal information."

The ICEPIC system can perform an array of sophisticated queries among millions of records, according to Homeland Security officials. Users can search by name or address and rapidly graph connections between individuals and groups. ICEPIC can, for instance, find out if subjects under investigation ever shared the same address. Agents tap the system to judge whether they should pursue leads or take action.

The Democratic lawmakers who requested the data-mining report called the policy breaches disturbing.

"It is alarming that DHS needed GAO to point out that the agency's data-mining program has been violating its own privacy protocols for more than three years by sharing sensitive personal information with local, state and federal officials," Rep. Donna Edwards, D-Md., ranking Democrat of the House Science, Space and Technology Subcommittee on Investigations and Oversight, said in a statement.

On Tuesday, Douglas Pasternak, chief investigator for the subcommittee's Democratic staff, said the panel has not yet been briefed on the repercussions of sharing suspects' personal data with outsiders.

"Were there specific cases where this violation had a real impact on a case, we just don't know," he said. "From a systemic standpoint, this is certainly not following procedures."

Democratic aides expect Homeland Security officials will brief them next week on steps the department is taking to resolve the privacy problems identified.

Aides for the committee's Republicans said they were not inclined to provide comment at this time.