To obtain copies of Office of the Assistant Inspector General for Auditing Reports, contact the Secondary Reports Distribution Division of the Audit Followup and Technical Support Directorate at (703) 604-8937 or FAX (703) 604-8932.
Who Should Read This Report and Why? DoD and Defense Advanced Research Projects Agency (DARPA) personnel involved in the development of the Terrorism Information Awareness (TIA) program or anyone interested in using sophisticated information technology that collects, stores, and analyzes information should read this report.
Background. This report completes our response addressing concerns of Senators Grassley, Nelson, and Hagel and discusses whether development of the DARPA TIA program included safeguards to ensure the technology was properly managed and controlled in an operational environment (See Appendix C). Section 8131 of the National Defense Appropriations Act for Fiscal Year 2004 (Public Law 108-87, September 30, 2003) eliminated funding for the majority of the TIA program components. However, the content of this report remains applicable in the event that program concerns are resolved or DoD pursues similar technologies in the future.
DARPA conducts research for DoD and was developing the TIA program to combat terrorist threats. The TIA research and development effort will integrate information technologies into a prototype system that will assist intelligence analysts in detecting, classifying, and identifying potential terrorist activities. The TIA research and development effort began in FY 2003. DARPA proposed in the President's FY 2004 Budget an estimated $53.8 million in funding for development of TIA. That amount does not include however funding for the additional programs DARPA envisions as component programs of the TIA prototype. DARPA, in coordination with intelligence activities, is testing TIA capabilities in an operational research and development environment using real time feedback.
Results. A review of the TIA program to include the developmental contracts showed that although the TIA technology could prove valuable in combating terrorism, DARPA could have better addressed the sensitivity of the technology to minimize the possibility of any Governmental abuse of power and could have assisted in the successful transition of the technology into the operational environment. As a result, DoD risks spending funds to develop systems that may be neither deployable nor used to their fullest potential without costly revisions and retrofits. Because the audit was conducted in response to congressional requests, we did not perform a review of the DARPA management control program.
The Under Secretary of Defense for Acquisition, Technology, and Logistics (USD (AT&L)) in coordination with the Director, DARPA should perform a privacy impact assessment before TIA type technology research continues. In addition, USD (AT&L) should appoint a Privacy Ombudsman or equivalent official specifically for the development of Terrorism Information Awareness type technology who will ensure that individual Terrorism Information Awareness type technology are scrutinized from a privacy perspective as a means of safeguarding individual privacy. The appointee, in consultation with the Office of the General Counsel, should conduct assessments on the impact of Terrorism Information Awareness type technology on privacy. (For detailed recommendations, see Recommendations, Management Comments and Audit Response.)
Management Comments. The Director, Defense Research and Engineering (DR&E), responding for the USD (AT&L), concurred with both recommendations. The Director, DR&E concurred with the importance of privacy impact assessments, stating that privacy impact assessments, focused on specific end-use applications, should precede all transitions to operational employment of TIA tools. The Director, DR&E stated that the decision to employ intelligence and synthetic data during the project development phase reflected deliberate consideration of privacy concerns at a level appropriate for a research effort. The Director, DR&E also stated that the report should have concluded that the TIA project did not violate privacy policies of the United States. In addition, the Director, DR&E stated that in the absence of guidance on privacy impact assessments, DARPA restricted developmental efforts to intelligence and synthetic databases, formed review boards, and implemented DARPA research into privacy safeguards.
The Director, DARPA stated that our report did not address the concerns raised by several U.S. Senators (Senators Grassley, Hagel, and Nelson) that DARPA was developing a system for domestic law enforcement for which it had no statutory duty to do so. The Director, DARPA stated that although DARPA acknowledged that TIA could be used by law enforcement, the report should have explicitly stated that DARPA was not developing a system for domestic law enforcement. The Director, DARPA stated that any use by law enforcement would have to be approved by Congress as well as other authorities. The Director, DARPA also stated that the report should have been clearer that a privacy impact assessment was not required. See the Management Comments section of the report for a complete text of the comments.
Audit Response. Although the report stresses that DoD and DARPA
need to be proactive and address policy and privacy measures at the earliest
stages, the report does not assert or conclude that any privacy violations have
occurred. In response to the concerns of the Director, DARPA that the report
does not address congressional concerns, we have included in Appendix C our
responses to Senators Grassley, Hagel, and Nelson, which clearly set forth our
objectives for this audit. Relating to the intended end uses of TIA, senior
USD (AT&L) officials in briefings had clearly indicated that TIA had potential
usage by both the intelligence and law enforcement communities. In response
to the Director, DARPA comments on the privacy impact statement, the report
clearly sets forth our position that, in the case of TIA, prudence would dictate
that a requirement for a privacy impact assessment be done as a best business
practice though no firm requirement exists.
Any comments or suggestions should be sent to: auditnet@dodig.mil