The Government Accountability Office (GAO) has released its full public report on the status of the Department of Homeland Security (DHS) National Applications Office (NAO) compliance with current legal, privacy and civil liberties standards.

GAO in September had provided Congressional committees with sensitive but unclassified briefing slides on the preliminary results of its review.

The stated objectives of GAO in the report, titled “National Applications Office: Certification of Compliance With Legal, Privacy, and Civil Liberties Standards Needs to Be More Fully Justified,” were to determine the extent to which DHS has thus far justified its certification that the NAO complies with (1) all applicable laws, (2) privacy standards, and (3) civil liberties standards.

Created in 2007 NAO’s mission is to process requests for classified satellite information and intelligence for civil, homeland security, and law enforcement purposes. By gaining access to highest-quality satellite images in real time Homeland Security and law enforcement officials might be better equipped to identify and detect threats.

The Consolidated Appropriations Act, 2008, prohibited funds from being made available to commence operations of the NAO until the Secretary of Homeland Security certified that the program complies with all existing laws, including all applicable privacy and civil liberties standards, and that certification was reviewed by GAO.

On April 9, 2008, in a letter to Members of Congress, DHS secretary Michael Chertoff certified that the NAO complies with all existing laws, including all applicable privacy and civil liberties standards. The Secretary also provided a charter for the office, privacy and civil liberties impact assessments, and NAO standard operating procedures.

The GAO report disputes that claim of full compliance.

In regard to legal compliance GAO found that “DHS has not yet fully addressed all outstanding issues regarding how the planned operations of the NAO, as described in the department’s certification documents, are to comply with legal requirements.” Specifically, the report said, “DHS has not resolved legal and policy issues associated with NAO support for law enforcement. The NAO charter states that requests for law enforcement domain uses (i.e., activities relating to enforcing criminal or civil laws or investigating violations thereof) will not be accepted by the NAO until interagency agreement is reached on unresolved legal and policy issues.”

In addition, the report found that while “DHS has taken steps to develop a legal review procedure for classified satellite information requests,” it has not yet fully established management controls to ensure that it will be effective.

“DHS has developed a multistage process for reviewing potential requests to address any legal or policy concerns,” the report said. “This process represents a reasonable approach for ensuring that decisions are reviewed on a case-by-case basis, to the extent that law enforcement requests are not accepted. However, the NAO charter leaves it unclear what types of requests will be initially rejected as being in the law enforcement domain and what types will be accepted as homeland security requests, because the distinctions between the two domains are.”

The report acknowledges significant progress by DHS in privacy policy compliance.

“At the time of NAO certification,” it said, “DHS did not fully explain how the office would comply with widely accepted privacy standards, such as the need for personally identifiable information to be accurate, secure, and used only for limited purposes. Specifically, the NAO’s original privacy assessment did not identify or analyze the risks that NAO operations might not meet these standards, nor did it specify measures to mitigate such risks.”

Since April, however, the report added that, “the Privacy Office developed a revised assessment that represented a substantial improvement in identifying privacy risks and mitigating controls to address them, such as providing appropriate oversight and building a process to identify and correct inaccurate information.”

Despite this progress the GAO report maintains that “differences between the review procedures outlined in the revised privacy impact assessment and those in the standard operating procedures raise questions about whether the specifics of the NAO’s privacy protection controls have been clearly established.”

Civil liberties, according to the report, continue to be a problem area for the project.

“The NAO civil liberties impact assessment identified a number of areas of potential concern regarding civil rights and civil liberties,” the report said, “although the NAO program office addressed several of these issues—such as the need to develop and conduct training on civil liberties issues—the department has not indicated how the NAO would address other significant issues, including the potential for improper use or retention of intelligence information by customers and the potential for overly broad annual memorandums about customers’ planned uses, which may facilitate the acceptance of requests that should be rejected.”