US violates privacy laws again, for two years

[Modelworks]

It appears that if you run a program and call the program " A test", then you don't have to comply with the law.

Anyone think they just tossed out the "test results" they got from the program ?

http://ap.google.com/article/A...E9yyXmi59VY2Abxumd6FIA

snip from the article.

WASHINGTON (AP) ? The Homeland Security Department scrapped an ambitious anti-terrorism data-mining tool after investigators found it was tested with information about real people without required privacy safeguards.

The department has spent $42 million since 2003 developing the software tool known as ADVISE, the Analysis, Dissemination, Visualization, Insight and Semantic Enhancement program, at the Lawrence Livermore and Pacific Northwest national laboratories. It was intended for wide use by DHS components, including immigration, customs, border protection, biological defense and its intelligence office.

Pilot tests of the program were quietly suspended in March after Congress' Government Accountability Office warned that "the ADVISE tool could misidentify or erroneously associate an individual with undesirable activity such as fraud, crime or terrorism."

Since then, Homeland Security's inspector general and the DHS privacy office discovered that tests used live data about real people rather than made-up data for one to two years without meeting privacy requirements. The inspector general also said ADVISE was poorly planned, time-consuming for analysts to use and lacked adequate justifications.

DHS spokesman Russ Knocke told The Associated Press on Wednesday the project was being dropped.

"ADVISE is not expected to be restarted," Knocke said. DHS' Science and Technology directorate "determined that new commercial products now offer similar functionality while costing significantly less to maintain than ADVISE."

Earlier, DHS said testing would resume once appropriate privacy analyses and public notices were completed.

ADVISE was one of the broadest of 12 data-mining projects in the agency.

A DHS research official said in 2004 it would be able to ingest 1 billion pieces per hour of structured information, such as databases of cargo shippers, and 1 million pieces per hour from unstructured text, such as government intelligence reports.

The system was supposed to identify links between bits of information that could otherwise go unnoticed. And it would graphically display results in charts of relationships and links.

 

[Fern]

The privacy office concluded that although required privacy analyses were ignored, the Privacy Act was not technically violated because the live data were covered by privacy notices issued earlier for other programs that originally gathered the information.

I read the list of information used, it's stuff already in various government databases. They were cross-referencing it. I'm not sure what the problem is re: privacy. That is, they were not acquiring info, just using what they already had (at least from I can tell from the full article).

Fern

 

[palehorse]

Originally posted by: Fern

The privacy office concluded that although required privacy analyses were ignored, the Privacy Act was not technically violated because the live data were covered by privacy notices issued earlier for other programs that originally gathered the information.

I read the list of information used, it's stuff already in various government databases. They were cross-referencing it. I'm not sure what the problem is re: privacy. That is, they were not acquiring info, just using what they already had (at least from I can tell from the full article).

Fern

Gee, I wonder why the OP forgot to include that last paragraph in his original "snip" of the article... :roll:

That said, how the heck could anyone produce enough fake data to test these software products?! That would an insane task in and of itself!

So they basically took data that was already collected and held legally, and ran the tools against it? What's the problem with that!?

 

[Modelworks]

Originally posted by: palehorse74
[
Gee, I wonder why the OP forgot to include that last paragraph in his original "snip" of the article... :roll:

I didn't include it because I didn't want to quote a long article that can be read at the link.

So they basically took data that was already collected and held legally, and ran the tools against it? What's the problem with that!?

The problem is the data they used was not given to them for that purpose.
Its basically the government saying any information you submit to us can be used whenever and however we choose. Just because you give consent to one place for a specific use of your information does not mean that you relinquish all further rights to keep that information private.

Read the last paragraph in full, especially the last sentence.

The privacy office concluded that although required privacy analyses were ignored, the Privacy Act was not technically violated because the live data were covered by privacy notices issued earlier for other programs that originally gathered the information. Dempsey argued those were too vague to alert citizens how ADVISE would use their data.

Even better read the pdf file about what information was used and where they got it.
May surprise you.

 

[Genx87]

Once you give the information or the govt obtains the information. I am failing to understand how letting one agency use it, but another not protects ones privacy. Besides it looks like they figured out farming the data mining off to private contractor is cheaper anyways.

Privacy in this country isnt as clear cut as we like to think. The govt cant come into your home. But once you leave the home privacy quickly erodes. Did you know everytime you make a purchase at major retailer with a check or CC that is entered into a DB and mined by marketing companies? Where is the outrage in this? Heck, I used to work at a company that held SS, private address info, and CC numbers in the same DB. Talk about ripe for identity theft.

 

[Modelworks]

From the pdf reports:

In response to recommendation 3, the Under Secretary stated that privacy law
and DHS Privacy Office guidance on assessing privacy impacts do not apply
to ADVISE for a number of reasons. First, the Under Secretary asserted that
ADVISE is a tool set and thus not a system, requiring such privacy
assessments. However, we do not direct our recommendation at conducting
privacy assessments on a technical tool. Rather, we recommend completing
privacy assessments for implementation of the holistic ADVISE solution
which, as piloted, has involved the use of personally identifiable data that
must be protected. ADVISE program managers did not begin the privacy
assessment process until well after the pilot programs were already using
personally identifiable information; this effort is still in process

They didn't even check if the information had privacy consents till after it was already being used. And the Under Secretary trying to shift blame saying its a tool and not a system so they don't need consent is a cop out.

Indeed, during our audit, we found
that several ADVISE pilots were conducted with personally-identifiable
information prior to S&T having completed privacy assessments as required.
Further, the Under Secretary states that the data was only used in the ADVISE
pilots for a short period of time and was never used in an operational mode for
decision-making. However, our audit work shows that the data was used in
pilot systems for one to two years. Additionally, on at least one occasion, the
data was used to produce classified intelligence information.

 

[palehorse]

no, I do not have any personal problem with the data they already have being migrated to a single database... and it would sure make my job a helluva lot easier.

 

[Spamela]

Originally posted by: Genx87
Once you give the information or the govt obtains the information. I am failing to understand how letting one agency use it, but another not protects ones privacy. Besides it looks like they figured out farming the data mining off to private contractor is cheaper anyways.

Privacy in this country isnt as clear cut as we like to think. The govt cant come into your home. But once you leave the home privacy quickly erodes. Did you know everytime you make a purchase at major retailer with a check or CC that is entered into a DB and mined by marketing companies? Where is the outrage in this? Heck, I used to work at a company that held SS, private address info, and CC numbers in the same DB. Talk about ripe for identity theft.

42 million over a few years is pocket change for the fed govt.

i have some experience in data mining & i don't think
private industry products are cheaper or better.

 

[Rainsford]

Originally posted by: palehorse74
no, I do not have any personal problem with the data they already have being migrated to a single database... and it would sure make my job a helluva lot easier.

Well there's your problem, the end goal of privacy laws isn't to "make your job easier". When THAT is our only goal, that's called a police state.

I doubt any laws were broken here, but I think it's important to say that the government is not some huge monolith...giving information to one segment of the government does not mean you want EVERY part of the government to have it. I realize the IRS needs information so I can pay my taxes, that doesn't mean I want them to help the FBI start a file on me.

 

[Rainsford]

Originally posted by: Genx87
Once you give the information or the govt obtains the information. I am failing to understand how letting one agency use it, but another not protects ones privacy. Besides it looks like they figured out farming the data mining off to private contractor is cheaper anyways.

Privacy in this country isnt as clear cut as we like to think. The govt cant come into your home. But once you leave the home privacy quickly erodes. Did you know everytime you make a purchase at major retailer with a check or CC that is entered into a DB and mined by marketing companies? Where is the outrage in this? Heck, I used to work at a company that held SS, private address info, and CC numbers in the same DB. Talk about ripe for identity theft.

That doesn't mean it's right. I personally think our personal information laws should mirror those in most European countries, it never made sense to me that you don't own your personal information, that once it's out of your control you have no say as to what is done with it.

 

[OrByte]

"Additionally, on at least one occasion, the
data was used to produce classified intelligence information. "

Its all "fun and games" until someone gets classified as an "intelligence target." I wonder if the "classified intelligence information" gathered could be used in a court of law?

 

[Spamela]

Originally posted by: Rainsford

Originally posted by: palehorse74
no, I do not have any personal problem with the data they already have being migrated to a single database... and it would sure make my job a helluva lot easier.

Well there's your problem, the end goal of privacy laws isn't to "make your job easier". When THAT is our only goal, that's called a police state.

I doubt any laws were broken here, but I think it's important to say that the government is not some huge monolith...giving information to one segment of the government does not mean you want EVERY part of the government to have it. I realize the IRS needs information so I can pay my taxes, that doesn't mean I want them to help the FBI start a file on me.

i think you also have to keep in mind that the amount of
data and the processing required are incredibly vast and,
given that there are only so many intelligence analysts
and computer resources around, it only makes economic sense
to focus on a few people/things, rather than Joe Sixpack.

 

[Spamela]

Originally posted by: OrByte
"Additionally, on at least one occasion, the
data was used to produce classified intelligence information. "

Its all "fun and games" until someone gets classified as an "intelligence target." I wonder if the "classified intelligence information" gathered could be used in a court of law?

intelligence analysts make that determination and have to justify it,
based on the integrity of the data sources;
the software just suggests where the IA might focus attention.

 

[Lemon law]

There is the old story about a man who worked as some US official and was an attorney. And lived an impeccable personal financial life. Yet the man had a piss poor credit rating and as a result paid much higher the normal interest rates on money he borrowed on installment loans and home mortgages.

Turn out that in the course of doing his government job, every time the government itself brought suit against some "bad guy or girl", his personal name went on the lawsuit. And similar type private data mining tools had noted this person had an inordinate number of lawsuits going, and it came back on his credit rating.

And if nothing else, this shows some of the dangers of data mining. All sorts of data is out there that is just totally ripe for mis interpretation. And once the errors are made and it gets into various data bases, its almost impossible to correct.

Another scenario would be an illegal alien getting a hold of your SS#, maybe by guessing it random or on the black market, and then getting a string of short time jobs using that SS#.
The point is government records would show both the income and with holdings, and said illegal alien could commit all kinds of crimes on your behalf without even having you lift a finger to do the crimes.

But much of the governmental data mining is now justified by gotta catch them terrorists. And the point is them terrorists simply choose not to communicate by means that can be data mined. And hence is a inefficient waste of money for catching terrorists.

The point being, if we don't make a practice illegal, someone will do it for what they think is noble means, but we pay the price when it burns us as wrong interpretations are inevitable.
And then its your screwed and no one will fess up to being responsible for the damage.

 

[ProfJohn]

Note to Modelworks: Any time you post an article and there is ANY bit in it that might be contradictory to what you are trying to say include that in your OP or else you risk being called out for it. After that happens people will stop talking about what you put in and instead talk about what you left out.

 

[imported_Baloo]

Originally posted by: palehorse74

Originally posted by: Fern

The privacy office concluded that although required privacy analyses were ignored, the Privacy Act was not technically violated because the live data were covered by privacy notices issued earlier for other programs that originally gathered the information.

I read the list of information used, it's stuff already in various government databases. They were cross-referencing it. I'm not sure what the problem is re: privacy. That is, they were not acquiring info, just using what they already had (at least from I can tell from the full article).

Fern

Gee, I wonder why the OP forgot to include that last paragraph in his original "snip" of the article... :roll:

That said, how the heck could anyone produce enough fake data to test these software products?! That would an insane task in and of itself!

So they basically took data that was already collected and held legally, and ran the tools against it? What's the problem with that!?

Wow, nobody get's it? It put that data into the hands of people who were not authorized to access it.