Dept of Homeland Security: inexcusable IT waste on ADVISE project

Following its $30 billion virtual fence debacle, the Department of Homeland Security (DHS) has disclosed another failed IT-related project, this one costing $42 million. DHS has suspended, and will likely cancel, a massive data-mining initiative on grounds that it violated privacy standards. Significantly, the program has also suffered from dramatic, severe, and systematic project management failures.

The ADVISE (Analy­sis, Dissemina­tion, Visu­ali­zation, Insight and Semantic Enhance­ment) program, which is still in the prototype and testing stage, is part of a large-scale, anti-terrorism data analysis operation run by DHS. As reported by Mark Clayton in the Christian Science Monitor, ADVISE is intended to "display data patterns visually as 'semantic graphs' – a sort of illuminated information constellation – in which an analyst's eye could spot links between people, places, events, travel, calls, and organizations worldwide." For additional background, see another Christian Science Monitor article written by Mark Clayton.

The DHS Privacy Office and the DHS Office of Inspector General have both issued reports criticizing the program for violating federal privacy guidelines. The program was also slammed for poor project management and oversight, with questions being raised about whether this custom software should have been written at all.

The DHS Privacy Office report is titled, DHS Privacy Office Review of the Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE) Program. From this report (emphasis added):

In response to the use of PII [personally identifiable information] in these ADVISE deployments, the Privacy Office recommends a set of short- and long-term responsive actions.

• Short-term recommendations focus on ensuring full compliance with privacy protection requirements before continuing with ADVISE deployments and making better use of non-PII data during research and development efforts.
• Long-term recommendations focus on integrating privacy compliance requirements into S&T’s overall project development processes and developing additional privacy guidance for future S&T programs.

The DHS Office of Inspector General report is titled, ADVISE Could Support Intelligence analysis More Effectively. These excerpts indicate serious program management failures (emphasis added):

The ADVISE program is at risk, due to a number of factors. Specifically, S&T [Science and Technology] program managers did not develop a formal business case for the research and development project, in part because they were unaware of requirements to do so. In addition, program managers did not address privacy impacts before implementing three pilot initiatives to support ADVISE. Further, due to inadequate data access and system usability, Office of Intelligence and Analysis (OI&A) analysts did not use the ADVISE pilot. Finally, because S&T did not effectively communicate and coordinate with DHS leadership about the benefits of ADVISE, departmental components have been unwilling to adopt ADVISE to support their intelligence analysis operations. As a result of privacy concerns, DHS has discontinued the three ADVISE pilots. Further, due to a lack of stakeholder commitment, program managers have stated that continuation of the ADVISE program is in question if an owner cannot be found to pay for future system operations and maintenance costs.

Furthermore, according to the Associated Press:

DHS' Science and Technology directorate "determined that new commercial products now offer similar functionality while costing significantly less to maintain than ADVISE."

Let's parse the comments made above, to see the real meaning:

1. "Integrating privacy compliance requirements:" In other words, they should respect and obey privacy laws.
2. According to the Associated Press: "The privacy office concluded that although required privacy analyses were ignored, the Privacy Act itself was not technically violated because the live data used were covered by privacy notices issued earlier for other programs that originally gathered the information." To put it more bluntly, due to technicalities, no one is going to jail over this abuse of privacy power.
3. "Did not develop a formal business case:" Apparently, they spent $42 million on a hunch, without creating a business plan.
4. "Unaware of requirements to do so:" How can someone responsible for a $42 million budget not realize planning is required?
5. "Did not address privacy impacts:" Or, perhaps more accurately, did not care about privacy impacts.
6. "Due to inadequate data access and system usability, Office of Intelligence and Analysis (OI&A) analysts did not use the ADVISE pilot:" The system was so poorly designed, it couldn't even be used.
7. "Departmental components have been unwilling to adopt ADVISE to support their intelligence analysis operations:" In plain English, end-users weren't asked their opinions, so they refused to use the new system.
8. "Lack of stakeholder commitment:" No one wants to touch this baby with a ten-foot pole.
9. "New commercial products now offer similar functionality:" Meaning, DHS didn't need to build this thing, since they could have bought it off the shelf for a fraction of the cost.

Aside from the privacy issues, the project reads like a textbook case on engineering a spectacular IT failure. I believe the arrogance of this situation can be summed up as follows: "It's our money, we have plenty of it, and why are you hassling us anyway?" If a private sector project were run this poorly, heads would roll.

One bright side: this mess was disclosed, which means certain internal DHS control systems seem to be effective, at least after the fact.