Why the ADVISE Data-Mining Program May be Very Ill-Advised:
Reports of Likely Privacy Violations Point to the Need to Mandate Specific Privacy Safeguards

By ANITA RAMASASTRY
Thursday, Mar. 08, 2007

According to a recent news story, the Department of Homeland Security (DHS) may have violated federal privacy laws by using American citizens' data without providing legally-required notice to the public.

Reportedly, the data was used to test out a new data-mining program entitled Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE), that could take effect as soon as 2008. ADVISE is being tested via several DHS pilot programs, including one at the Office of Intelligence and Analysis.

Details of the violations are expected to be released soon, in a forthcoming General Accounting Office (GAO) report. The violations were unearthed because in the fiscal 2007 Homeland Security spending bill, Congress directed the GAO to investigate and report back.

At the time, Congress observed that "[a] prototype is currently available to analysts in [the DHS] Intelligence and Analysis [unit] using departmental and other data, including some on U.S. citizens. The ADVISE program plan, total costs and privacy impacts are unclear and therefore the conferees direct the inspector general [of GAO] to conduct a comprehensive program review and report within nine months of enactment of this act." (Emphasis added.)

Now, with privacy violations already resulting simply from the testing of ADVISE, it's time for Congress to focus on the program's privacy impacts, and how to minimize them.

In this column, I'll explain the nature of ADVISE, insofar as it has been made public. In addition, I'll argue that ADVISE should not go forward further without specific safeguards, mandated by Congress, to protect individual privacy and allow error-correction, and specify what those safeguards should be.

ADVISE: Simply A New Version of Total Information Awareness (TIA)?

Only a few public documents refer to ADVISE. From these, we know that ADVISE is described by DHS as a research and development program that is part of its three-year-old "Threat and Vulnerability, Testing and Assessment" portfolio.

In 2006, reports indicated than the federal government planned to create a massive computer system to collect and sort huge quantities of data, including data culled from sources as varied as email, blogs, and government records in order to search for patterns of terrorist activity. Assuming ADVISE was that system, it seems ADVISE will raise not only privacy concerns, but serious First Amendment concerns as well.

Reportedly, the goal of ADVISE is to ferret out terrorists in America by applying mathematical algorithms to uncover suspicious patterns within massive amounts of data contained in huge databases. According to a report summarizing a 2004 DHS conference in Virginia, once the algorithms are applied, the system will store groups of linked information as "entities." Doubtless, the results will be to put some individuals under close scrutiny, and even surveillance.

Some important aspects of ADVISE are still undisclosed: How much data about people would be compiled, and from where? For how long will this data be stored? What happens if someone is flagged as potentially suspicious? Will he or she be flagged indefinitely? What if someone is flagged in error? Can that error be corrected?

Like the airline passenger and border control profiling programs, which I discussed in a recent column, ADVISE very probably will rely on data not only from intelligence, law enforcement, and Internet sources, but also from companies' proprietary sources -- which contain information such as financial records and consumer records reflecting purchases of, for example, airline tickets, magazine subscriptions and books. (Thus, if, for example, terrorists were to begin using courier services to communicate, DHS could track that activity via ADVISE.)

Based on what we know so far, ADVISE sounds remarkably like a previous program initiated by the Pentagon: "Total Information Awareness" (TIA). TIA was nixed by Congress in 2003 when it was merely a concept being developed at the Defense Advanced Research Projects Agency (DARPA). However, it seems Congress' rejection of TIA hasn't deterred DHS from proposing a program that may simply be its direct equivalent.

It's Time for Congress To Get Specific About Mandating Privacy Protections

If, indeed, DHS has already violated the privacy rights of citizens by testing their data without their consent, this should raise red flags. Congress needs to carefully examine the impact of data mining on individual privacy, before ADVISE is put into action.

Some federal privacy protections do apply. For example, federal law restricts access to medical records. Those protections, however, are not robust enough to deal with large-scale data mining by the government. There are no limits on the government's ability to buy private data from companies, even though consumers may never have consented to have their data used this way. Nor is notice to the consumer required when such purchases of data occur.

When programs are based on patterning, innocent people can easily be wrongly accused. A terrorist may use cash to buy a one-way plane ticket, but so may a broke college student who has just enough money in his account for an impulse trip to visit his girlfriend on the opposite coast. A terrorist may buy large amounts of fertilizer for a bomb; someone else may do so simply because she's bought additional farmland. As I argued with respect to the flagging programs used for air travel and border control, it's imperative that an error-correction system is in place.

Racial and religious profiling is also a serious concern. Will those associated with particular mosques, for example, become part of a data "entity" that triggers surveillance?

Senator Russ Feingold has been a proponent of legislation that would require federal agencies to report on data-mining programs and how they safeguard privacy. Now, a majority of Congress should get behind Senator Feingold's, and similar, proposals, to ensure that ADVISE does not violate individual privacy.


Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, computer data security issues, and other legal issues for this site, which contains an archive of her columns.