As DHS stands up national vetting center, privacy issues persist, assessment says
As the Department of Homeland Security (DHS) stands up the National Vetting Center (NVC), which was mandated by National Security Presidential Memorandum (NSPM)-9 to coordinate the efforts of agencies across the US government to collect, store, process, share, disseminate, and use accurate and timely biographic, biometric, and contextual information — including on a recurrent basis – to identify activities and associations with “known or suspected threat actors and other relevant indicators that inform adjudications and determinations related to national security, border security, homeland security, or public safety,” the NVC director and DHS Privacy Office conducted a Privacy Impact Assessment (PIA) “to assess the risks to privacy, civil rights, and civil liberties presented by the NVC and the vetting programs that will operate using the NVC.”
In addition to terrorism-related threats, programs that use the NVC process and technology pursuant to NSPM-9 “to facilitate vetting may also identify additional categories of threats relevant to their vetting such as transnational organized crime, foreign intelligence activities directed against the United States, the proliferation of weapons of mass destruction, malign cyber activities, and the efforts of military threat actors be “used as part of the vetting process and that “activities, associations with known or suspected threat actors, and other relevant indicators” be identified and considered in making such decisions.”
The NVC process is “primarily focused on the review of classified national security information for vetting, but it is not intended to nor does it replace other types of vetting checks,” the PIA says,” adding, “As vetting programs are integrated into the NVC process and technology,” the PIA will be updated with an addendum that describes each such vetting program.
The PIA, just recently made public, addresses whether a “system security plan [has] been completed for the information system(s) supporting the project.”
“The Authority to Operate for the NVC technology being built-out by DHS’s Office of Intelligence & Analysis (DHS I&A) is being granted concurrently with the completion of this PIA, along with other compliance requirements, “the PIA said.
NSPM-9 mandated the “government improve the manner in which executive departments and agencies (agencies) coordinate and use intelligence and other information to identify individuals who present a threat to national security, border security, homeland security, or public safety in accordance with their existing legal authorities and all applicable policy protections.”
To achieve this mandate, the President directed the establishment of the National Vetting Center NVC within DHS “with the purpose of coordinating agency vetting efforts to locate and use relevant intelligence and law enforcement information to identify individuals who may present a threat to the homeland.” The DHS secretary delegated this responsibility within DHS to Customs and Border Protection (CBP).
“Vetting” is defined as “manual and automated processes used to identify and analyze information in US government holdings to determine whether an individual poses a threat to national security, border security, homeland security, or public safety, primarily, but not necessarily exclusively, in support of the US government’s visa, naturalization, immigration benefit, immigration enforcement, travel, and border security decisions about an individual.”
The PIA states “NVC activities will be conducted in a manner that is consistent with the Constitution; applicable statutes including the Privacy Act; applicable executive orders and Presidential Directives including Executive Order 12333, United States Intelligence Activities, as amended; and other applicable law, policies, and procedures pertaining to the appropriate handling of information about US persons (as defined in Executive Order 12333) and other individuals protected by US law and policy. The NVC has not changed or expanded these existing authorities.”
The PIA said, the NVC also “will not replace all vetting activities [that involve a variety of biometric databases already in place] that occur today. Most immigration and border security programs already use readily available, unclassified information,” noting, “However, the vetting processes that support those programs may face challenges when using classified or otherwise highly restricted information to support those processes. The NVC process and technology is designed to make such information accessible in a more centralized and efficient manner to agencies charged with making adjudications. The NVC does not engage in making adjudications itself. Its role is limited to that of facilitator or service provider for the NVC process and technology used for vetting.”
Among what the PIA says is a “partially mitigated” threat is the “risk that changes or corrections made to Personally Identifiable Information [PII] in the underlying adjudicating agency source systems will not be updated or pushed to the Vetting Support Agencies, leading to inaccurate or out-of-date information being reviewed for vetting.”
This “risk is partially mitigated [by] protocols … to ensure … information in the Vetting Support Request is updated during the vetting processes to ensure the most recent information available is used for vetting,” the PIA disclosed.
“However,” the PIA added, “the US government has a need to maintain a record of any decision that affects an individual, and that record should contain and point to the information that was relied upon at the time. If it is later determined that some of that information was incorrect, the original record should not be modified, but rather annotated to indicate the inaccurate data and the new, correct information. Inaccurate data would not be erased, but it must be clear from the totality of the updated record which data was found to be inaccurate and which is correct.”
Federal privacy rights authorities – including at DHS – told Biometric Update on background because they’re not cleared to discuss the NVC, that the PIA’s determination that “original record(s) should not be modified, but rather annotated to indicate the inaccurate data,” isn’t, as one of the sources said, “a sufficient enough reason to accept that this risk is, as they say,, ‘partially mitigated.’”
Continuing, the sources – several of whom are seasoned intelligence analysts – said they’re not comfortable with the PIA’s revelation that, “Inaccurate data would not be erased, but it must be clear from the totality of the updated record which data was found to be inaccurate and which is correct.” One explained that even though a record may be modified to say it contains inaccurate data, that “can still create a bias on the part of an analyst, inputter, or adjudicator of the data, to have suspicions that there might be something to the so-called incorrect data that, say, just couldn’t be verified at the time, but that there might have had reasonable suspicion for … based on something … to have been included in the first place — that the intel was correct, or at least the person who entered it was actually on to something.”
One risk the PIA pointed that “cannot be fully mitigated … individuals could “be unaware of the NVC, its purpose, how it operates, and what the potential impacts it has on individuals and their data. Individuals also may not have a full understanding of where their data is going and how it is used by the NVC.”
The PIA explained that because of “the sensitive nature of intelligence, law enforcement, and other information incorporated into vetting activities through the NVC process and technology, it may not be possible for individuals to be informed when their information is used in the NVC …”
Consequently, the NVC, at the direction of the National Vetting Governance Board, “is taking a number of measures to provide transparency in other forms” which the PIA “and subsequent addenda provide information and assess the privacy risks that use of the NVC process and technology poses generally and to affected individuals for particular vetting programs.”
In addition, the National Vetting Governance Board will be publicly releasing “an unclassified version of the NVC Implementation Plan as part of what the PIA described as a “significant public outreach … to promote better understanding of the NVC among oversight entities such as congressional committees, the media, and public interest groups.”
For example, when new vetting programs join the NVC, specific notifications will be given, “as appropriate,” such as “privacy compliance documentation (e.g., PIA, SORN) for vetting programs that may be updated, and that Privacy Act Statements or Privacy Notices may be amended on the forms which are the initial instruments for a person’s data collection, as well as “any changes to an individual application form submitted for a benefit will require a Paperwork Reduction Act notice.
Still “another potential risk addressed by the PIA is “Vetting Support Responses do not correctly match the individual associated with a specific Vetting Support Request due to misidentification” of biometric and other PII.
According to the PIA, however, “The NVC has taken appropriate steps to mitigate this risk,” saying it “is anticipated that information in most vetting programs will be collected directly from the individuals to whom that information pertains, which should ensure a high level of accuracy upon collection. In some cases, information will be collected about an individual from a third-party, such as in the case of a visa applicant providing information in the application about family members or individuals in the United States they plan to visit or who will employ them.”
Insider privacy authorities though still have questions, although the PIA assured that “vetting programs collect a number of identifiers and other information about an individual, which increases the likelihood of accurately matching individuals between Vetting Support Requests and Vetting Support Responses. Collection of this information assists both the Vetting Support Agencies and the Vetting Analysts in determining any possible misidentification issues prior to adjudication.”
“For example,” the PIA states, “if previous history of travel to the United States is collected, then that information can be used to confirm an identity match … Vetting Support Agencies have their own internal processes in place to ensure accurate information is distributed back to Adjudicating Agencies,” which “includes sharing information in accordance with Intelligence Community Directive 203, IC Analytic Standards. Additionally, Vetting Support Agencies review all information to ensure it is appropriate to be shared outside of their own agency.”
And, the PIA said, “As vetting programs are added to the NVC process, any additional and unique risks of misidentification for each vetting program will be discussed in [updated] addenda [to] this PIA.”
Another possible privacy risk identified by the PIA involves the “risk [that] NVC technology will not have appropriate security safeguards, putting individual PII at risk of breach or compromise.”
According to the NVC and DHS Privacy Office, though, “This risk is mitigated … because the NVC technology is being maintained on a classified network [and that] DHS follows the information technology security requirements established in DHS’s Sensitive Compartmented Information Systems 4300C Instruction Manual; National Institute of Standards and Technology Special Publication 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations; and Committee on National Security Systems (CNSS) Instruction No. 1253, Security Categorization and Control Selection for National Security Systems.”
In addition, the PIA assured, “The NVC technology must also receive an Authority to Operate, which requires approval by the DHS Chief Information Security Officer and DHS Chief Privacy Officer. Other agencies participating in the NVC process apply and follow comparable standards with respect to their information technology systems.”
There is also “a risk that the stated purposes of the collection of data are inconsistent with the vetting activities that will be occurring using the NVC process and technology,” but that this risk is mitigated because, “The purposes for collection of the Vetting Support Request data, as documented in SORNs, PIAs, Privacy Act Statements or Privacy Notices, and information sharing agreements will be reviewed as a part of the NVC process to on-board a new vetting program to ensure they are accurate and adequately support the vetting activities.”
This supposedly will “help” to assure “individuals who provide the information receive adequate public notice of the purposes for collection and uses of [their biometric and PII] data.”
Finally, there’s the “risk that the information collected through the NVC process will be used inappropriately by users of the NVC technology,” but that this risk will be mitigated because “the NVC has implemented audit capabilities and access controls to ensure that only those who should have access to the information are granted such.”
Presumably, according to DHS officials on background because of the sensitive nature of the NVC, biometrics will be used by authorized operators, handlers, managers, and consumers with NVC access point permissions.
“Information sharing agreements will [also] be reviewed and modified, if applicable and necessary, to ensure they support NVC vetting activities and privacy and civil rights and civil liberties protections,” the PIA said, although one intelligence official familiar with the NVC told Biometric Update on background that, “that’s not to say somewhere down the road within the [Intelligence] Community, there could be misuse,” explaining, “in a situation where one has access and time-sensitive intel, and needs to compare it with biometrics in the system.”
The PIA noted that vetting analysts “may not have access to all records in a system. If the link in question is to a record to which they do not have access, [the] vetting analysts will notify their supervisor to either request access or transfer the matter to another vetting analyst who has the appropriate level of access to view the record in question.”
Although according to the PIA, “Each vetting program is … reviewed by the Legal and PCRCL Working Groups to ensure all legal, privacy, civil rights, and civil liberties requirements, including those pertaining to use of information in support of that program, are met,” and that, “After these reviews, the National Vetting Governance Board ultimately approves whether any new vetting program is on-boarded to the NVC workflow,” there is “is a risk that the NVC will share information with Vetting Support Agencies that do not have authority to support vetting activities for a specific vetting program, or do not have data relevant to Adjudicating Agencies based on the applicable legal standards.”
Using the new “NVC technology, the Vetting Support Responses are displayed to the vetting analyst, and the analyst uses the links or pointers provided to view the information resident in other (typically classified) systems to which the analyst has authorized access,” the PIA said, emphasizing that the “Vetting analyst then analyzes this information and considers it in relation to the relevant legal standard for deciding the matter at issue … before making a decision. The vetting analyst then makes a recommendation (e.g., to grant or deny) to an adjudicator, who is an official within the adjudicating agency that has the responsibility to make the decision. Adjudicators (who are not assigned to the NVC but sit at their home agencies) consider the vetting analyst’s recommendation and analysis underlying that recommendation, when appropriate, along with other relevant information available to them outside of the NVC process, and make a decision … Throughout this process, the vetting analysts and the adjudicators both remain under the operational control and act under the legal authorities of the adjudicating agency.”
Supporting the NVC process is the Intelligence Community Support Element, which is also established pursuant to NSPM-9. The IC Support Element is tasked to “facilitate, guide, and coordinate all IC efforts to use classified intelligence and other relevant information within IC holdings in direct support of the NVC,” and is “an independent entity established by the Director of National Intelligence comprising certain IC elements, which provide support to the NVC in accordance with their existing authorities. The role of each IC element, including whether it provides information … will vary based on the particular vetting program and each agency’s individual authorities, policies, and procedures.”
According to the PIA, “The composition of the IC Support Element will be a combination of assignees” authorized access to information that has been deemed “analytically significant” by an intelligence element as “information that provides analytic insight into the potential threat to national security posed by an individual, either directly or indirectly. For Vetting Support Agencies that are elements of the IC, any US person information must satisfy the requirements for dissemination under that agency’s Attorney General Guidelines pursuant to Executive Order 12333 to qualify as analytically significant threat information. Such information will also be presumed to be in adherence to the IC Analytic Standards established in Intelligence Community Directive 203,” but “does not apply to law enforcement information that is not foreign intelligence.”