coalmine.thumbnail.jpg

The Department of Homeland Security just sent a report to Congress about its data mining activities. This is the third such report as required under Section 806 of the Federal Agency Data Mining Reporting Act of 2007.

Under the Act, DHS was compelled to go back and report on its data mining activities in 2006 and a previous report for data mining activities in 2007.

It seem as though Congress did not like the previous reports and thought that DHS was using a definition of data mining that was too narrow which might have excluded too many DHS programs.

So, Congress, in House Report 109-609, gave DHS a detailed definition of what data mining means to them to be added on top of the definition that DHS was already using.

.... a query or search or other analysis of 1 or more electronic databases, whereas (A) at least 1 of the databases was obtained from or remains under the control of a non federal entity, or the information was acquired intially by another department or agency of the Federal Government for purposes other than intelligence or law enforcement; (B) a department or agency of the Federal Government or non federal entity acting on behalf of the Federal Government is conducting the query, or search or other analysis to find a predictive pattern indicating terrorist or criminal activity; and (C) the search does not use a specific individual person's identifiers to acquire information concerning that individual.

DHS has apparently gone back to the drawing board and is taking another crack at the 2007 report, using the newer definition.

And guess what they found? Yep, a whole bunch of activities that DHS had not reported to Congress as being data mining turned out to be.....wait for it.....data mining! Who'da thunk it?

The not previously reported data mining includes an inbound and outbound cargo analysis program, ADVISE (Analysis, Dissemination, Visualization, Insight and Semantic Enhancement program pilot), and ICE's DARTTS program (Data Analysis and Research for Trade Transparency System). [Anybody interested in money laundering in the wake of the Spitzer scandal really wants to read this link, it is full of examples of how the Bank Secrecy Act reporting requirements actually work in the field.]

Anyway, DHS should have done a Privacy Impact Assessment of these programs to see if they a) infringed on people's privacy, and b) what mitigation measures could be taken to ameliorate that infringement.

Since DHS didn't include these programs in its reporting, you already guessed that it didn't do the privacy assessment, right?

Sigh. None of this actually surprised anyone here, did it?

DHS promises to go back and do the privacy assessments and to be good little boys and girls in future, but basically, this is Congress catching them red handed.

Original here