Risk
10/10/2011
12:52 PM
Connect Directly
RSS
E-Mail
50%
50%

Homeland Security Criticized For Potential Privacy Risks

Poor oversight of data mining used in counterterrorism initiatives could leave personal information vulnerable, finds GAO report.

50 Most Influential Government CIOs
Slideshow: 50 Most Influential Government CIOs
(click image for larger view and for slideshow)
The Department of Homeland Security (DHS) does not adequately review the privacy and effectiveness of data-mining systems it uses in counterterrorism efforts, possibly putting personal information at risk, according to a government watchdog agency.

The Government Accountability Office (GAO) evaluated six data-mining systems from the DHS and three of its component organizations--the U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement, and the U.S. Citizenship and Immigration--and found that none of them had an effective framework in place for proper oversight of the systems, according to a new report by the agency.

Specifically, the GAO found that none of the systems "performed all of the key activities associated with an effective evaluation framework," according to the report.

[DHS is moving aggressively to implement cloud computing. Learn more about its plans: Homeland Security Plans 12 Cloud Services.]

While four of the programs performed most of the requirements for evaluating privacy, only one performed most of those related to executive review and approval, according to the GAO. This inconsistency puts privacy-related information at risk and also affects the effectiveness of the programs themselves, the agency found.

One system in particular--the Immigration and Customs Enforcement Pattern Analysis and Information Collection (ICEPIC)--was found to be especially troublesome because it was given a privacy impact assessment before the system was even completed, according to the GAO.

Officials developed their assessment of ICEPIC before a component called the law Enforcement Information Sharing Service--which allows people's personal information to be shared outside the agency--was put in place, according to the GAO. As a result, multiple law-enforcement agencies have access to people's personal information, but it's not being reported or disclosed, which could put that information at risk.

In the DHS' defense, the GAO said that officials are working to revise the privacy assessment plan to take into account the feature, but that plan is not yet complete.

As one of several recommendations in the report, the GAO advised the DHS to develop "requirements for providing additional scrutiny of privacy protections for the sensitive information systems that are not transparent to the public through privacy impact assessments."

The DHS did not respond immediately to request for comment about the report Monday.

The federal government has ramped up its data-mining efforts recently to improve how it uses the tool, particularly in its review of intelligence information to thwart terrorist activities. The National Counterterrorism Center (NCTC), for example, is developing software called DataSphere that can analyze terrorists' communications networks and travel activities to help discover relationships among them.

Data mining and analytics are also are key to efforts the feds are taking to cut costs, according to the Obama administration's Campaign to Cut Waste. Officials believe that by examining and analyzing existing data they can decide how to prioritize their investments.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4884
Published: 2014-10-21
The Conrad Hotel (aka com.wConradHotel) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4885
Published: 2014-10-21
The CPWORLD Close Protection World (aka com.tapatalk.closeprotectionworldcom) application 3.4.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4887
Published: 2014-10-21
The Joint Radio Blues (aka com.nobexinc.wls_69685189.rc) application 3.2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4888
Published: 2014-10-21
The BattleFriends at Sea GOLD (aka com.tequilamobile.warshipslivegold) application 1.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4889
Published: 2014-10-21
The Diabetic Diet Guide (aka com.wDiabeticDietGuide) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.