DHS’s beleaguered HART still hasn’t addressed privacy ‘gaps’
The US Department of Homeland Security’s (DHS) repeatedly delayed and now estimated $3.1 billion Homeland Advanced Recognition Technology (HART) program continues to be plagued with privacy problems, according to audits and a new report.
Among these problems are serious “gaps” in the incorporation of key privacy measures that are required before HART can be deployed. They are so much of a problem that they’ve degraded the ability of HART to properly protect individuals’ Personally Identifiable Information (PII).
Because the HART initiative has been dogged by these and other problems from the start, the Fiscal Year 2025 DHS appropriations bill that was passed by the House on June 28, slashes funding for HART and financial systems management by $16.8 million below the FY 2024 enacted level, and provides no funds for additional procurement, construction, or improvements of HART.
That followed HART funding for FY 2023 having already been cut by about $17 million “due to ongoing cost, schedule, and performance challenges.” The program’s FY 2023 was just over $20 million, the same level as FY 2022.
The House Appropriations Committee report noted that the committee continues to be “concerned given continued delays and cost overruns for achieving initial operating capability of the HART system,” and “eagerly awaits” the follow-on report to an earlier Government Accountability Office (GAO) report “detailing HART’s cost, schedule, and implementation of selected privacy requirements.”
The FY 2023 funding bill had also required DHS’s Office of Biometric Identity Management (OBIM), which oversees HART, to continue briefing DHS oversight committees on a semiannual basis on its “workload, service levels, staffing, modernization efforts, and other operations.”
The FY 2025 funding bill continues that requirement, and further directs DHS “to continue to brief the Committee monthly on system development, associated costs, and schedule until full operational capability of HART is achieved.”
HART’s future, for the moment, is in limbo, and it’s not at all clear when it will be ready for prime time. Initial operations had already been pushed into 2025, but with funding for deployment on shaky ground, even 2025 now seems overly optimistic.
Originally estimated to be fully implemented in 2021, HART is supposed to be the successor to DHS’s outdated Automated Biometric Identification System (IDENT), which DHS currently continues to rely on to provide biometric identity management services, and which itself has been plagued by problems.
When fully operational, HART is supposed to serve as DHS’s centralized DHS-wide biometric database for storage and processing of biometric and associated biographic information for national security; law enforcement; immigration and border management; intelligence; background investigations for national security positions and certain positions of public trust; and associated testing, training, management reporting, planning and analysis, development of new technologies, and other administrative uses.
More than 290 million individuals’ PII, including biographic and biometric information, will be stored in the system.
Both IDENT and HART are managed by OBIM, which is the lead agency responsible for providing biometric identity management services to support national security and public safety decision making for DHS and its approximately 140 partners.
But, without first having ensured that all requisite privacy controls had been assessed, and all identified deficiencies corrected, the HART program can’t assure that PII collected by the system is adequately protected from unauthorized disclosure or misuse, according to a June Government Accountability Office (GAO) report on “high risk” issues for congressional requesters.
Until OBIM addresses weaknesses in HART privacy protections, OBIM may end up developing a system that puts individuals’ PII at increased risk for compromise, GAO told lawmakers on DHS oversight committees, members of which have become increasingly critical of not just the HART initiative, but also senior DHS leadership.
GAO previously recommended that DHS work with OBIM and its Privacy Office to address the shortcomings related to seven partially addressed privacy requirements GAO had found. DHS concurred with GAO’s recommendations, but to date, the recommendations have yet to be fully implemented.
In a blistering letter to DHS Secretary Alejandro Mayorkas in January, Sen. Chuck Grassley, Ranking Member of the Senate Committee on the Budget, said “These failures likely could have been avoided. The GAO report found that ‘the program’s cost estimate did not substantially or fully meet the four characteristics of a reliable cost estimate, and its ‘schedule estimate did not substantially or fully meet three of the four characteristics of a reliable schedule estimate.’ As one would expect, GAO warns that ‘[u]ntil these weaknesses are addressed, the HART cost and schedule estimates will continue to be unreliable.’”
“Additionally,” Grassley emphasized, “GAO found substantive issues with the HART program. Specifically, the report found ‘DHS had gaps’ in seven of the twelve Office of Management and Budget privacy requirements. GAO warned that ‘[u]ntil DHS addresses these privacy weaknesses, the department lacks assurance that the hundreds of millions [of] individuals’ personally identifiable information that will be stored and shared by HART will be appropriately protected.’ It is certainly necessary that DHS sufficiently protects this information as required by law and regulation, and it must also ensure relevant law enforcement entities have access to this data.”
Grassley pointed out that GAO had made nine recommendations in its September 2023 report, two of which pertained to DHS’s failure to use best practices while the other seven pertained to privacy concerns. “DHS concurred with the recommendations; however, as of January 23, 2024, none have been closed,” Grassley said.
GAO said in its September 2023 report that “DHS did not fully implement a majority of the selected federal privacy requirements to ensure the protection of PII in the HART program,” and that “some of the requirements included conducting a privacy impact assessment, reviewing the system authorization package, and incorporating privacy requirements in contracts. Specifically, of the 12 selected OMB privacy requirements, the department fully implemented five, and partially implemented seven.”
To date, GAO said, the seven recommendations regarding the privacy problems it earlier found, still haven’t been implemented.
DHS’s Inspector General (IG) also chastised DHS’s Privacy Office for not ensuring that DHS systems that supply biometric and biographic data to HART had current Privacy Impact Assessments as required by DHS policy and found unacceptable DHS’s intent to not “update existing sharing agreements once HART is deployed.”
The IG said it determined that “these issues occurred because the DHS Privacy Office responsible for enforcing privacy protections did not provide sufficient oversight of privacy compliance documentation or ensure OBIM implemented all privacy-related recommendations. As a result, DHS cannot ensure HART will protect the privacy of individuals whose information is stored in the system.”
Some of the requirements included conducting a privacy impact assessment, reviewing the system authorization package, and incorporating privacy requirements in contracts.
The IG also clarified that because HART is an “identity service provider and data repository that will match, store, and share personally identifiable information … HART must operate in accordance with the Privacy Act of 1974 and the E-Government Act of 2002.”
Article Topics
biometric database | biometrics | data privacy | DHS | GAO (Government Accountability Office) | Homeland Advanced Recognition Technology (HART) | OBIM | U.S. Government
Comments