oversight

Information Technology: Terrorist Watch Lists Should Be Consolidated to Promote Better Integration and Sharing

Published by the Government Accountability Office on 2003-04-15.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

             United States General Accounting Office

GAO          Report to Congressional Requesters




April 2003
             INFORMATION
             TECHNOLOGY
             Terrorist Watch Lists
             Should Be
             Consolidated to
             Promote Better
             Integration and
             Sharing




GAO-03-322
             a
                                               April 2003


                                               INFORMATION TECHNOLOGY

                                               Terrorist Watch Lists Should Be
Highlights of GAO-03-322, a report to
Congressional Requesters                       Consolidated to Promote Better
                                               Integration and Sharing


Terrorist and criminal watch list              Generally, the federal government’s approach to using watch lists in
systems—sometimes referred to as               performing its border security mission is decentralized and nonstandard,
watchout, lookout, target, or tip-off          largely because these lists were developed in response to individual
systems—are important tools in                 agencies’ unique missions, including their respective legal, cultural, and
controlling and protecting our                 systems environments. Specifically, as shown in the figure below, nine
nation’s borders. The events of
September 11, 2001, and other
                                               federal agencies—which prior to the creation of the Department of
incidents since then, have                     Homeland Security (DHS) spanned the Departments of Defense, Justice,
highlighted the need to share these            State, Transportation, and the Treasury—develop and maintain 12 watch
watch lists. In light of the                   lists.
importance of border security,
GAO was asked to identify federal              These lists include overlapping but not identical sets of data, and different
databases and systems that contain             policies and procedures govern whether and how these data are shared with
watch lists, the agencies that                 others. As a general rule, this sharing is more likely to occur among federal
maintain and use them in                       agencies than between federal agencies and either state and local
protecting our nation’s borders, the           government agencies or private entities. Further, the extent to which such
kind of data they contain, whether             sharing is accomplished electronically is constrained by fundamental
federal agencies are sharing
                                               differences in the watch lists’ systems architecture (that is, the hardware,
information from these lists with
each other and with state and local            software, network, and data characteristics of the systems).
governments and private
organizations, the structural                  Two agencies identified opportunities to standardize and consolidate these
characteristics of those lists that            lists, which GAO believes would improve information sharing. The
are automated, and whether                     President’s homeland security strategy further recognizes the need to
opportunities exist to consolidate             address the proliferation of these lists. While the Office of Homeland
these watch lists.                             Security was reportedly pursuing consolidation as part of an effort to
                                               develop a border and transportation security blueprint, referred to as an
                                               enterprise architecture, the DHS Chief Information Officer told us that the
GAO recommends that the                        department had recently taken responsibility for the blueprint. However, we
Secretary of DHS, in collaboration             were not provided enough information to evaluate these efforts.
with the heads of the other                    Simplified Diagram of Border Security Process and the Departments and Agencies That Use
departments and agencies that                  Watch Lists
have and use watch lists, lead an
effort to consolidate and
standardize the federal
government’s watch list structures
and policies. DHS and other
departments involved in this study
generally agreed with GAO’s
findings and recommendations.




www.gao.gov/cgi-bin/getrpt?GAO-03-322.

To view the full report, including the scope
and methodology, click on the link above.
For more information, contact Randolph C.
Hite at 202-512-3439 or hiter@gao.gov.         Note: The Transportation Security Administration, Customs, and Immigration and Naturalization Service and their associated
                                               databases appear multiple times because watch lists that are used in more than one phase of the process are shown in each phase.
Contents



Letter                                                                                                     1
                             Results in Brief                                                              1
                             Background                                                                    3
                             Federal Agencies Maintain Numerous Watch Lists, Containing
                               Varying Types of Data, Used by Many Organizations                          12
                             Watch List Sharing Is Governed by Varying Policies and
                               Procedures                                                                 17
                             Federal Agency Watch List Data Sharing and Supporting System
                               Architectures Vary                                                         17
                             Opportunities Exist for Consolidating Watch Lists and Improving
                               Information Sharing                                                        26
                             Conclusions                                                                  28
                             Recommendations for Executive Action                                         28
                             Agency Comments And Our Evaluation                                           29


Appendixes
              Appendix I:    Objectives, Scope, and Methodology                                           32
             Appendix II:    Comments from the Department of Justice                                      35
             Appendix III:   Comments from the Department of State                                        37
             Appendix IV:    GAO’s Survey Instrument                                                      40
              Appendix V:    GAO Contact and Staff Acknowledgments                                        78
                             GAO Contact                                                                  78
                             Staff Acknowledgments                                                        78


Tables                       Table 1: Departments, Agencies, and Their Watch Lists                        13
                             Table 2: Selected Architectural Characteristics of the 12 Watch List
                                      Systems                                                             25


Figures                      Figure 1: Simplified Overview of the Border Security Process and
                                       the Departments and Agencies Involved                               6
                             Figure 2: Simplified Diagram of the Border Security Process and
                                       the Departments and Agencies That Use Watch Lists                   8
                             Figure 3: Simplified Diagram of the Complexity Associated with
                                       Connecting Decentralized Databases                                 11
                             Figure 4: Simplified Diagram of Central Data Store with Subsidiary
                                       Databases                                                          12




                             Page i                                          GAO-03-322 Terrorist Watch Lists
Contents




Figure 5: Simplified Diagram of the Border Security Process,
          Departments and Agencies Involved, and Watch Lists
          Used                                                                             14
Figure 6: Types of Data Included in Watch Lists                                            16
Figure 7: Extent of Agency Sharing of Watch List Data with Other
          Federal Agencies and with State, Local, and Private
          Organizations                                                                    19
Figure 8: Simplified Overview of the Border Security Process,
          Departments and Agencies Involved, Watch Lists Used,
          and Sharing among Watch Lists                                                    21




Abbreviations

DHS          Department of Homeland Security
FBI          Federal Bureau of Investigation
INS          Immigration and Naturalization Service
TSA          Transportation Security Administration

 This is a work of the U.S. Government and is not subject to copyright protection in the
 United States. It may be reproduced and distributed in its entirety without further
 permission from GAO. It may contain copyrighted graphics, images or other materials.
 Permission from the copyright holder may be necessary should you wish to reproduce
 copyrighted materials separately from GAO’s product.




Page ii                                                   GAO-03-322 Terrorist Watch Lists
A
United States General Accounting Office
Washington, D.C. 20548



                                    April 15, 2003                                                                 Leter




                                    The Honorable Charles E. Grassley
                                    Chairman
                                    Committee on Finance
                                    United States Senate

                                    The Honorable Carl Levin
                                    Select Committee on Intelligence
                                    United States Senate

                                    Terrorist and criminal watch list systems—sometimes referred to as
                                    watchout, lookout, target, or tip-off systems—are important tools in
                                    controlling and protecting our nation’s borders. The events of September
                                    11, 2001, and other incidents since then, have reinforced their importance
                                    and highlighted the need to share and use these lists. Because watch lists
                                    are important tools in border security, you requested that we identify

                                    • federal databases and systems that contain watch lists, the agencies that
                                      maintain and use these watch lists in protecting our nation’s borders,
                                      and the kinds of data these watch lists contain;

                                    • whether federal agencies’ sharing of watch list data is governed by
                                      policies and procedures;

                                    • whether watch lists are (1) being exchanged among federal agencies
                                      and between federal agencies and state, local, and private organizations,
                                      and (2) supported by common system architectures (system hardware,
                                      software, and data characteristics); and

                                    • whether opportunities exist for consolidating watch lists.

                                    To address these objectives, using a questionnaire, we surveyed nine
                                    agencies that perform border security functions and that, according to our
                                    research, either develop or use watch lists. We did not independently verify
                                    agencies’ responses. Details of our objectives, scope, and methodology are
                                    discussed in appendix I.



Results in Brief                    Generally, the federal government’s approach to developing and using
                                    terrorist and criminal watch lists in performing its border security mission
                                    is diffuse and nonstandard, largely because these lists were developed and



                                    Page 1                                          GAO-03-322 Terrorist Watch Lists
have evolved in response to individual agencies’ unique mission needs and
the agencies’ respective legal, cultural, and technological environments.
More specifically, nine federal agencies1—which spanned the Departments
of Defense, Justice, State, Transportation, and the Treasury—have
developed and maintain 12 watch lists. These lists contain a wide variety of
data; most contain biographical data, such as name and date of birth, and a
few contain biometric2 data, such as fingerprints. Beyond the nine agencies
that have developed and maintain these watch lists, about 50 other federal
agencies and many state and local government entities have access to one
or more of these lists.

Nonstandardization also extends to the policies and procedures governing
whether and how agencies share watch lists. Specifically, two of the nine
federal agencies do not have such policies and procedures, and the
remaining seven have differing ones. For example, one of the agencies’
policies included guidance on sharing with other federal agencies as well as
state and local governments, but another addressed sharing only with
federal agencies. As a general rule, the federal agencies that have watch
lists share the lists among themselves. However, half of these agencies
share their respective lists with state and local agencies, and one-fourth
share them with private entities. The extent to which such sharing is
accomplished electronically is constrained by fundamental differences in
watch list system architectures (that is, the hardware, software, network,
and data characteristics of the systems).

The number and variability of federal watch lists, combined with the
commonality of purpose of these lists, point to opportunities to consolidate
and standardize them. Appropriately exploiting these opportunities offers
certain advantages—such as faster access, reduced duplication, and
increased consistency—which can reduce costs and improve data
reliability. Some of the agencies that have developed and maintain watch
lists acknowledged these opportunities, as does the President’s homeland


1
 The nine agencies are the State Department’s Bureau of Intelligence and Research and
Bureau of Consular Affairs; the Justice Department’s Federal Bureau of Investigation,
Immigration and Naturalization Service, U.S. Marshals Service, and U.S. National Central
Bureau for Interpol; the Department of Defense’s Air Force Office of Special Investigations;
the Transportation Department’s Transportation Security Administration; and the Treasury
Department’s U.S. Customs Service. Of these, the Immigration and Naturalization Service,
the Transportation Security Administration, and the U.S. Customs Service are being
incorporated into the new Department of Homeland Security.
2
Biometrics are records of physical identification marks, such as fingerprints and iris scans.




Page 2                                                     GAO-03-322 Terrorist Watch Lists
             security strategy. To this end, Office of Homeland Security officials stated
             in public forums during the course of our review that watch list
             consolidation activities were under way as part of efforts to develop a set
             of integrated blueprints—commonly called an enterprise architecture3 —
             for the new Department of Homeland Security (DHS). According to DHS’s
             Chief Information Officer, responsibility for the consolidation effort has
             been transferred to DHS.

             To strengthen our nation’s homeland security capability, we are
             recommending that the Secretary of DHS take a series of steps aimed at
             ensuring that watch lists are appropriately and effectively standardized,
             consolidated, and shared. In commenting on a draft of this report, DHS—as
             well as other departments that develop and maintain watch lists and that
             commented on the draft—generally agreed with our findings and
             recommendations. Their comments are summarized and evaluated in the
             Agency Comments and Our Evaluation section of this report.



Background   The President’s national strategy for homeland security and the Homeland
             Security Act of 20024 provide for securing our national borders against
             terrorists. Terrorist and criminal watch lists are important tools for
             accomplishing this end.

             Simply stated, watch lists can be viewed as automated databases that are
             supported by certain analytical capabilities. To understand the current
             state of watch lists, and the possibilities for improving them, it is useful to
             view them within the context of such information technology management
             disciplines as database management and enterprise architecture
             management.




             3
              An enterprise architecture can be viewed as a blueprint that describes an entity’s
             operational and technical environments. The blueprint includes descriptive models of the
             entity’s current and future business and technical environments, along with a roadmap for
             transitioning from the current to the future environment.
             4
             P.L. 107-296.




             Page 3                                                   GAO-03-322 Terrorist Watch Lists
Overview of the President’s   Since the September 11th terrorist attacks, homeland security—including
Homeland Security Strategy    securing our nation’s borders—has become a critical issue. To mobilize and
                              organize our nation to secure the homeland from attack, the administration
and the Homeland Security     issued, in July 2002, a federal strategy for homeland security.5
Act                           Subsequently, the Congress passed and the President signed the Homeland
                              Security Act, which established DHS in January 2003. Among other things,
                              the strategy provides for performance of six mission areas, each aligned
                              with a strategic objective, and identifies major initiatives associated with
                              these mission areas. One of the mission areas is border and transportation
                              security.6

                              For the border and transportation security mission area, the strategy and
                              the act specify several objectives, including ensuring the integrity of our
                              borders and preventing the entry of unwanted persons into our country. To
                              accomplish this, the strategy provides for, among other things, reform of
                              immigration services, large-scale modernization of border crossings, and
                              consolidation of federal watch lists.7 It also acknowledges that
                              accomplishing these goals will require overhauling the border security
                              process. This will be no small task, given that the United States shares a
                              5,525 mile border with Canada and a 1,989 mile border with Mexico and has
                              95,000 miles of shoreline. Moreover, each year, more than 500 million
                              people legally enter our country, 330 million of them noncitizens. More than
                              85 percent enter via land borders, often as daily commuters.



Overview of the Border        Our nation’s current border security process for controlling the entry and
Security Process              exit of individuals consists of four primary functions: (1) issuing visas,
                              (2) controlling entries, (3) managing stays, and (4) controlling exits. The
                              federal agencies involved in these functions include the Department of
                              State’s Bureau of Consular Affairs and its Bureau of Intelligence and
                              Research, as well as the Justice Department’s Immigration and
                              Naturalization Service (INS), the Treasury Department’s U.S. Customs

                              5
                              Office of Homeland Security, National Strategy for Homeland Security (July 2002).
                              6
                               The other critical mission areas are intelligence and warning, domestic counterterrorism,
                              protecting critical infrastructure, defending against catastrophic terrorism, and emergency
                              preparedness and response.
                              7
                               The strategy assigned the Federal Bureau of Investigation the responsibility for
                              standardizing and consolidating watch lists. However, according to the bureau, this
                              responsibility was subsequently assumed by the Office of Homeland Security.




                              Page 4                                                    GAO-03-322 Terrorist Watch Lists
Service (Customs), and the Transportation Department’s Transportation
Security Administration (TSA).8

The process begins at the State Department’s overseas consular posts,
where consular officers are to adjudicate visa applications for foreign
nationals who wish to enter the United States. In doing so, consular
officials review visa applications, and sometimes interview applicants,
prior to issuing a visa. One objective of this adjudication process is to bar
from entry any foreign national who is known or suspected to have
engaged in terrorist activity, is likely to engage in such activity, or is a
member or supporter of a known terrorist organization.9

Foreign nationals (and any other persons attempting to enter the United
States, such as U.S. citizens) are to be screened for admission into the
United States by INS or Customs inspectors. Generally, this consists of
questioning the person and reviewing entry documents. Since October
2002, males aged 16 or over from certain countries (for example, Iran, Iraq,
Syria, and the Sudan) are also required to provide their name and U.S.
address and to be photographed and fingerprinted. 10 In addition, airline
officials use information provided by TSA to screen individuals attempting
to travel by air. As discussed in the next section, requirements for checking
a person against a watch list differ somewhat, depending upon whether the
person arrives at a land-, air-, or seaport.

After foreign nationals are successfully screened and admitted, they are not
actively monitored unless they are suspected of illegal activity and come
under the scrutiny of a law enforcement agency, such as the Department of
Justice’s Federal Bureau of Investigation (FBI). Also, when foreign
nationals depart the country, they are not screened unless they are males
aged 16 years or over from certain countries referenced above, or are
leaving by air. According to TSA, all passengers on departing flights are
screened prior to boarding the plane. Figure 1 is a simplified overview of
the border entry/exit process.


8
Of these agencies, INS, Customs, and TSA have been incorporated into DHS.
9
 U.S. General Accounting Office, Border Security: Visa Process Should Be Strengthened as
an Antiterrorism Tool, GAO-03-132NI (Washington, D.C.: October 2002).
10
 The requirement to screen these individuals is part of the Justice Department’s
implementation of the National Security Entry-Exit Registration System. According to
Justice, it implemented the first phase of the system in October 2002.




Page 5                                                   GAO-03-322 Terrorist Watch Lists
Figure 1: Simplified Overview of the Border Security Process and the Departments and Agencies Involved




                                         Note: Customs and TSA appear twice in this figure because they support both entry and exit control.
                                         INS appears three times because it supports entry control, stay management, and exit control.




The Role of Watch Lists in               Watch lists are important tools that are used by federal agencies to help
the Border Security Process              secure our nation’s borders. These lists share a common purpose—to
                                         provide decisionmakers with information about individuals who are known
                                         or suspected terrorists and criminals, so that these individuals can either
                                         be prevented from entering the country, apprehended while in the country,
                                         or apprehended as they attempt to exit the country. As shown in figure 2,
                                         which builds on figure 1 by adding watch list icons and associating them
                                         with the agencies that maintain the respective lists, watch lists collectively
                                         support nine federal agencies in performing the four primary functions in
                                         the border security process. Specifically:

                                         • When a person applies for a visa to enter the United States, State
                                           Department consular officials are to check that person against one or
                                           more watch lists before granting a visa.




                                         Page 6                                                          GAO-03-322 Terrorist Watch Lists
• When a person attempts to enter the United States by air or sea, INS or
  Customs officials are required to check that person against watch lists
  before the person is allowed to enter the country. In addition, when a
  person attempts to enter the United States by air, INS or Custom
  officials check him or her against watch lists provided by TSA prior to
  allowing him or her to board the plane. Persons arriving at land borders
  may be checked, but there is no requirement to do so. The exception, as
  previously discussed, is for males aged 16 or over from certain
  countries, who are required to be checked.11

• Once a watch list identifies a person as a known or suspected terrorist,
  INS, Customs, or airline officials are to contact the appropriate law
  enforcement or intelligence organization (for example, the FBI), and a
  decision will be made regarding the person’s entry and the agency’s
  monitoring of the person while he or she is in the country.

• When a person exits the country by plane, airline officials are to check
  that person against watch lists.

In performing these roles, the agencies use information from multiple
watch lists. For example, U.S. National Central Bureau for Interpol officials
told us that they provide information to the agencies involved in entry
control, exit control, and stay management.




11
  Inspectors are also required to check all entering vehicles’ license plates against watch
lists.




Page 7                                                      GAO-03-322 Terrorist Watch Lists
Figure 2: Simplified Diagram of the Border Security Process and the Departments and Agencies That Use Watch Lists




                                         Note: Customs and TSA, along with their associated lists, appear twice in this figure because they
                                         support both entry and exit control. INS appears three times because its lists support entry control,
                                         stay management, and exit control.




President’s Strategy                     In addition to highlighting the importance of watch lists for border security,
Recognizes Problems with                 the President’s national strategy cites problems with these lists, including
                                         limited sharing. According to the July 2002 strategy, in the aftermath of the
Watch Lists and Proposes                 September 11th attacks it became clear that vital watch list information
Improvements                             stored in numerous and disparate federal databases as not available to the
                                         right people at the right time. In particular, federal agencies that maintained
                                         information about terrorists and other criminals had not consistently
                                         shared it. The strategy attributed these sharing limitations to legal, cultural,



                                         Page 8                                                            GAO-03-322 Terrorist Watch Lists
                           and technical barriers that resulted in the watch lists being developed in
                           different ways, for different purposes, and in isolation from one another.

                           To address these limitations, the strategy calls for integrating and reducing
                           variations in watch lists and overcoming barriers to sharing the lists. It also
                           calls for developing an enterprise architecture for border security and
                           transportation (see next section for a description of an enterprise
                           architecture).12 More specifically, the strategy provides for developing a
                           consolidated watch list that would bring together the information on
                           known or suspected terrorists contained in federal agencies’ respective
                           lists.13



Enterprise Architecture:   If properly developed, enterprise architectures provide clear and
A Brief Description        comprehensive pictures of an entity, whether it is an organization (for
                           example, a federal department, agency, or bureau) or a functional or
                           mission area that cuts across more than one organization (for example,
                           grant management, homeland security, or border and transportation
                           security). These architectures are recognized as essential tools for
                           effectively and efficiently engineering business operations and the systems
                           and databases needed to support these operations.

                           More specifically, enterprise architectures are systematically derived and
                           captured blueprints or descriptions—in useful models, diagrams, and
                           narrative—of the mode of operation for a given enterprise. This mode of
                           operation is described in both (1) logical terms, such as interrelated
                           business processes and business rules, information needs and flows, data
                           models, work locations, and users, and (2) technical terms, such as
                           hardware, software, data, communications, and security attributes and
                           performance standards. They provide these perspectives both for the
                           enterprise’s current, or “as is,” environment and for its target, or “to be,”


                           12
                            The President’s strategy assigned the responsibility for developing an enterprise
                           architecture to the Critical Infrastructure Assurance Office, which was part of the
                           Commerce Department but is now being incorporated into the new Department of
                           Homeland Security. However, according to the Critical Infrastructure Assurance Office, this
                           responsibility for developing homeland security enterprise architectures was subsequently
                           assumed by the Office of Homeland Security.
                           13
                             The President’s strategy assigned the FBI the responsibility for standardizing and
                           consolidating watch lists. However, according to the FBI, this responsibility has been
                           transferred to the Office of Homeland Security.




                           Page 9                                                     GAO-03-322 Terrorist Watch Lists
                         environment, as well as a transition plan for moving from the “as is” to the
                         “to be” environment.

                         Using enterprise architectures is a basic tenet of effective IT management,
                         embodied in federal guidance and commercial best practices.14 When
                         developed and used properly, these architectures define both business
                         operations and the technology that supports these operations in a way that
                         optimizes interdependencies and interrelationships. They provide a
                         common frame of reference to guide and constrain decisions about the
                         content of information asset investments in a way that can ensure that the
                         right information is available to those who need it, when they need it.



Options for Enterprise   As discussed in the previous section, enterprise architectures facilitate
Database Structures      delivery of the right information to the right people at the right time. To this
                         end, these architectures include data models, or logical representations of
                         data types and their relationships, which are used to engineer physical data
                         “stores,” or repositories. When engineered properly, these data stores are
                         structured in a way that effectively and efficiently supports both shared
                         and unique enterprise applications, functions, and operations. The
                         structure of these data stores, whether they are paper records or
                         automated databases, can take many forms, employing varying degrees of
                         centralization and standardization. Associated with the structures being
                         employed are opportunities and limitations to effective and efficient
                         information exchange and use.

                         Generally, these structures can be viewed along a continuum. At one
                         extreme, databases can be nonstandard, both in terms of metadata15 and
                         the technologies that manage the data, and they can be decentralized,
                         meaning that they were built in isolation from one another to support
                         isolated or separate, “stovepiped” applications, functions, and operations.
                         In this case, integrating the databases to permit information exchange


                         14
                          For example, see Office of Management and Budget, Management of Federal Information
                         Resources, Circular No. A-130 (Washington, D.C.: November 2000) and U.S. General
                         Accounting Office, Executive Guide: Improving Mission Performance through Strategic
                         Information Management and Technology: Learning from Leading Organizations,
                         GAO/AIMD-94-115 (Washington, D.C.: May 1994).
                         15
                          In short, metadata are “data about data.” That is, they are definitional data that describe
                         the context, quality, condition, or characteristics of the specific data elements in a set of
                         data or a database.




                         Page 10                                                      GAO-03-322 Terrorist Watch Lists
requires the development of unique, and potentially complex and costly,
point-to-point interfaces (hardware and software) that translate the data or
bridge incompatibilities in the technology. Further, the sheer number of
databases involved can exponentially increase the number of relationships,
and thus interfaces, that have to be built and maintained. Structuring
databases in this way can quickly evolve into an overly complex,
unnecessarily inefficient, and potentially ineffective way to support
mission operations. (See fig. 3 for a simplified diagram conceptually
depicting this approach to structuring databases.)



Figure 3: Simplified Diagram of the Complexity Associated with Connecting
Decentralized Databases




At the other extreme, databases can be structured to recognize that various
enterprise applications, functions, and operations have a need for the same
data or sets of data, even though they may need to use them in different
ways to support different mission applications, functions, and operations.
If engineered properly, these database structures allow for greater use of
standards, in terms of both data definitions and technology, and are more
centralized, although the option exists to create subsidiary databases—
known as data warehouses and data marts—to permit more uniquely
configured and decentralized data sources to support specific and unique
mission needs. Further, since the core data in these subsidiary databases
are received from a corporate database(s), the need for interfaces to
translate data or connect incompatible technologies is greatly reduced.
Structuring databases in this way can minimize complexity and maximize



Page 11                                            GAO-03-322 Terrorist Watch Lists
                             efficiency and mission effectiveness. (See fig. 4 for a simplified diagram
                             conceptually depicting this approach to structuring databases.)



                             Figure 4: Simplified Diagram of Central Data Store with Subsidiary Databases




Federal Agencies             Terrorist watch lists are developed, maintained, or used by federal, state,
                             and local government entities, as well as by private-sector entities, to
Maintain Numerous            secure our nation’s borders. Twelve such lists are currently maintained by
Watch Lists,                 federal agencies. These lists contain various types of data, from
                             biographical data—such as a person’s name and date of birth—to biometric
Containing Varying           data—such as fingerprints.
Types of Data, Used by
Many Organizations

Twelve Federal Watch Lists   Nine federal agencies, which prior to the establishment of DHS spanned
Are Maintained by Nine       five different cabinet-level departments, currently maintain 12 terrorist and
                             criminal watch lists. These lists are also used by at least 50 federal, state,
Agencies                     and local agencies. The above-mentioned departments are the Departments
                             of State, Treasury, Transportation, Justice, and Defense. Table 1 shows the
                             departments, the associated nine agencies that maintain watch lists, and
                             the 12 watch lists.




                             Page 12                                             GAO-03-322 Terrorist Watch Lists
Table 1: Departments, Agencies, and Their Watch Lists

Department                    Agency/Department                                Watch list
                              subcomponent
State                         Bureau of Consular Affairs                       Consular Lookout and
                                                                               Support
                              Bureau of Intelligence and Research              TIPOFF
Treasury                      Customs                                          Interagency Border
                                                                               Inspectiona
Transportation               TSA                                               No-Fly
                                                                               Selectee
Justice                      INS                                               National Automated
                                                                               Immigration Lookout
                                                                               Automated Biometric
                                                                               (fingerprint)
                                                                               Identification Systemb
                              U.S. Marshals Service                            Warrant Information
                              FBI                                              Violent Gang and
                                                                               Terrorist Organization
                                                                               Filec
                                                                               Integrated Automated
                                                                               Fingerprint Identification
                              U.S. National Central Bureau for                 Interpol Terrorism
                              Interpold                                        Watch List
Defense                       Air Force (Office of Special                     Top Ten Fugitive
                              Investigations)
Source: GAO.
a
 Interagency Border Inspection operates as a part of Customs’ Treasury Enforcement
Communications System, commonly referred to as TECS.
b
 INS is in the process of integrating this system with the FBI’s Integrated Automated Fingerprint
Identification System.
c
    This list is part of the FBI’s National Crime Information Center..
d
 Interpol (International Police Organization) is an intergovernmental organization made up of 181
member countries for the purpose of ensuring cooperation among the world's law enforcement
entities. It is headquartered in Lyon, France. The U.S. National Central Bureau for Interpol, within the
Justice Department, serves as the U.S. member of Interpol and facilitates dissemination of Interpol
watch list information to federal, state, and local agencies.


The 12 watch lists support the federal agencies involved in the border
security process. Figure 5, which builds on figure 2, provides a graphical
representation identifying the name of each of the lists and relating them to
the agencies that maintain the lists and are involved in performing the four
border security functions: issuing visas, controlling entries, managing
stays, and controlling exits.



Page 13                                                                  GAO-03-322 Terrorist Watch Lists
Figure 5: Simplified Diagram of the Border Security Process, Departments and Agencies Involved, and Watch Lists Used




                                         Page 14                                             GAO-03-322 Terrorist Watch Lists
                          Notes: Customs and TSA, along with their associated lists, appear twice in this figure because they
                          support both entry and exit control. INS appears three times because its systems support entry
                          control, stay management, and exit control.
                          INS also uses the Interagency Border Inspection System to control entry and exit as well as to monitor
                          stays.




Watch Lists Contain       The 12 watch lists do not all contain the same types of data, although some
Different Types of Data   types are included in all of the lists. At the same time, some types of data
                          are included in only a few of the lists. More specifically, all of the lists
                          include the name and date of birth; 11 include other biographical
                          information (for example, passport number and any known aliases); 9
                          include criminal history (for example, warrants and arrests); 8 include
                          biometric data (for example, fingerprints); 3 include immigration data (for
                          example, visa type, travel dates, departure country, destination country,
                          country visited, arrival dates, departure dates, and purpose of travel); and 2
                          include financial data (for example, large currency transactions). Figure 6
                          shows the data types that are included in each watch list.




                          Page 15                                                          GAO-03-322 Terrorist Watch Lists
Figure 6: Types of Data Included in Watch Lists




                                                                                                                                       ist
                                                                                                                                     n


                                                                                                                                   ror




                                                                                                                                   on
                                                                                                                                 tio




                                                                                                                           fic d
                                                                                                                      Fil Ter




                                                                                                                               ati
                                                                                                                      en ic
                                                                                                                               ca




                                                                                                                   Ide ate
                                                                                                                              ut
                                                                                                                      oo d




                                                                                                                  ) Id metr
                                                                            r




                                                                                                                 n L te
                                                                          de




                                                                                                                          on




                                                                                                                          tifi
                                                                                                                         ko




                                                                                                                          m
                                          rt out




                                                                                                                          d



                                                                                                              int utom
                                                                                                             tio ma




                                                                                                                         e



                                                                                                                       nti
                                                                                                                       an
                                                                        on Bor




                                                                                                           Lis oris
                                                                                                                      ati


                                                                                                          rpr d Bio
                                      up ook




                                                                                                         gra Auto




                                                                                                                orm




                                                                                                         niz ng



                                                                                                      ge d A




                                                                                                                    r
                                                                                                                 on
                                                                 pe ncy




                                                                                                      tch Ter
                                   dS rL




                                                                                                                a
                                        po




                                                                                                              int




                                                                                                                t
                                                                                                             ati
                                                                                                               e
                                                                                                            Inf




                                                                                                 Or ent G




                                                                                                 Fin grate
                                                                                                 (fin mat




                                                                                                 Fu en
                                 an sula




                                                             Ins rage




                                                                                                 Im ional




                                                                                                          rpr


                                                                                                 Wa ol




                                                                                                         ive
                                                                                           tee
                                                                    cti
                                                        F




                                                                                                         nt




                                                                                                      pT
                                                                                                      erp
                                                      OF




                                                                                      y




                                                                                                      ge
                                                                                                      to
                                                                                                    rra




                                                                                                    ga




                                                                                                     git
                                                                                                     mi
                                    n




                                                                                          lec
                                                                                   -Fl
                                                                  e




                                                                                                       l




                                                                                                      e
                                                                                                      t




                                                                                                  Vio
                                 Co




                                                                                                  Na




                                                                                                  Au




                                                                                                  To
                                                              Int




                                                                                                  Int



                                                                                                  Int
                                                   TIP




Data type




                                                                                                 Wa
                                                                                 No




                                                                                          Se
Biographic items
   Name

   Aliases

   Nationality/citizenship
   Birth date

   Passport number

   Country issuing passport
   Address

Criminal history
   Warrants

   Arrests

Biometric items
   Photographs

   Ten print fingerprints

   Facial
   Two print fingerprints

   Iris

   Hand

Immigration
   Visa type

   Travel dates
   Departure country
   Destination country

   Countries visited
   Arrival date

   Departure date

   Travel purpose

Financial
   Large currency transactions

   Credit card requests
Source: GAO.




                                                            Page 16                                                 GAO-03-322 Terrorist Watch Lists
                        Note: Shaded cells indicate data included in watch lists.




Watch List Sharing Is   Effective sharing of information from watch lists and of other types of data
                        among multiple agencies can be facilitated by agencies’ development and
Governed by Varying     use of well-coordinated and aligned policies and procedures that define the
Policies and            rules governing this sharing. One effective way to implement such policies
                        and procedures is to prepare and execute written watch list exchange
Procedures              agreements or memorandums of understanding. These agreements would
                        specify answers to such questions as what data are to be shared with
                        whom, and how and when they are to be shared.

                        Not all of the nine agencies have policies and procedures governing the
                        sharing of watch lists. In particular, two of the agencies reported that they
                        did not have any policies and procedures on watch list sharing. In addition,
                        of the seven that reported having such policies and procedures, one did not
                        require any written agreements. Further, the policies and procedures of the
                        seven have varied. For example, one agency’s policies included guidance
                        on sharing with other federal agencies as well as with state and local
                        governments, but another’s addressed sharing only with other federal
                        agencies. In addition, each agency had different policies and procedures on
                        memorandums of understanding, ranging from one agency’s not specifying
                        any requirements to others’ specifying in detail that such agreements
                        should include how, when, and where data would be shared with other
                        parties.

                        The variation in policies and procedures governing the sharing of
                        information from watch lists can be attributed to the fact that each agency
                        has developed its own policies and procedures in response to its own
                        specific needs. In addition, the agencies reported that they received no
                        direction from the Office of Homeland Security identifying the needs of the
                        government as a whole in this area. As a result, federal agencies do not
                        have a consistent and uniform approach to sharing watch list information.



Federal Agency Watch    The President’s homeland security strategy and recent legislation call for
                        increased sharing of watch lists, not only among federal agencies, but also
List Data Sharing and   among federal, state, and local government entities and between
Supporting System       government and private-sector organizations. Currently, sharing of watch
                        list data is occurring, but the extent to which it occurs varies, depending on
Architectures Vary      the entities involved. Further, these sharing activities are not supported by
                        systems with common architectures. This is because agencies have


                        Page 17                                                     GAO-03-322 Terrorist Watch Lists
                            developed their respective watch lists, and have managed their use, in
                            isolation from each other, and in recognition of each agency’s unique legal,
                            cultural, and technological environments. The result is inconsistent and
                            limited sharing.



Watch List Sharing Varies   According to the President’s homeland security strategy, watch list data
                            sharing has to occur horizontally among federal agencies as well as
                            vertically among federal, state, and local governments in order for the
                            country to effectively combat terrorism. In addition, recent federal
                            homeland security legislation, including the Homeland Security Act,16 USA
                            PATRIOT ACT of 2001,17 and the Enhanced Border Security and Visa Entry
                            Reform Act of 200218 require, among other things, increased sharing of
                            homeland security information both among federal agencies and across all
                            levels of government.

                            The degree to which watch list data are being shared is not consistent with
                            the President’s strategy and recent legislative direction on increased data
                            sharing. Specifically, while federal agencies report that they are generally
                            sharing watch list data with each other, they also report that sharing with
                            organizations outside of the federal government is limited. That is, five of
                            the nine agencies reported that they shared data from their lists with state
                            and local agencies, and three reported that they shared data with private
                            industry. Figure 7 visually summarizes the extent to which federal agencies
                            share watch list data with each level of government (federal, state, and
                            local) and with the private sector.




                            16
                                 P.L. 107-296, section 202.
                            17
                                 P.L. 107-56.
                            18
                                 P.L. 107-173.




                            Page 18                                         GAO-03-322 Terrorist Watch Lists
Figure 7: Extent of Agency Sharing of Watch List Data with Other Federal Agencies
and with State, Local, and Private Organizations

 Watch list name (agency            Other federal
 that maintains list)               agencies        State agencies      Local agencies   Private entities

 Consular Lookout and Support
 (Bureau of Consular Affairs)

 TIPOFF (Bureau of
 Intelligence and Research)

 Interagency Border and
 Inspection (Customs)

 No-Fly
 (TSA)

 Selectee
 (TSA)

 National Automated
 Immigration Lookout (INS)

 Warrant Information (U.S.
 Marshals Service)

 Automated Biometric
 Identification (INS)

 Violent Gang and Terrorist
 Organization File (FBI)

 Integrated Automated
 Fingerprint Identification (FBI)

 Interpol Terrorism Watch List
 (U.S. National Central Bureau
 for Interpol)
 Top Ten Fugitive
 (Air Force)


            Shares no data
            Shares some data

            Shares all data

Source: GAO.



As noted above, federal agencies are sharing either all or some of their
watch list data with each other. However, this sharing is the result of each
agency’s having developed and implemented its own interfaces with other
federal agencies’ watch lists. The consequence is the kind of overly
complex, unnecessarily inefficient, and potentially ineffective network that
is associated with unstructured and nonstandard database environments.
In particular, this environment consists of nine agencies—with 12 watch


Page 19                                                              GAO-03-322 Terrorist Watch Lists
lists—that collectively maintain at least 17 interfaces; one agency’s watch
list alone has at least 4 interfaces. A simplified representation of the
number of watch list interfaces and the complexity of the watch list
environment is provided in figure 8.




Page 20                                         GAO-03-322 Terrorist Watch Lists
Figure 8: Simplified Overview of the Border Security Process, Departments and Agencies Involved, Watch Lists Used, and
Sharing among Watch Lists




                                          Page 21                                            GAO-03-322 Terrorist Watch Lists
Note: Several watch lists are used in more than one phase of the border security process. For
example, Customs uses the Interagency Border Inspection System for controlling entry and for
controlling exits. In such cases, we showed the watch list interfaces under only one phase.


A key reason for the varying extent of watch list sharing is the cultural
differences among the government agencies and private-sector
organizations involved in securing U.S. borders. According to the
President’s strategy, cultural differences often prevent agencies from
exchanging or integrating information. We also recently reported that
differences in agencies’ cultures has been and remains one of the principal
impediments to integrating and sharing information from watch lists and
other information. 19

Historically, legal requirements have also been impediments to sharing, but
recent legislation has begun addressing this barrier. Specifically, the
President’s strategy and our past work20 have reported on legal
requirements, such as security, privacy, and other civil liberty protections,
that restrict effective information sharing. To address this problem,
Congress has recently passed legislation that has significantly changed the
legal framework for information sharing, which, when fully implemented,
should diminish the effect of existing legal barriers. In particular, Congress
has enacted legislation providing for agencies to have increased access to
other agencies’ information and directing more data sharing among
agencies. For example, section 701 of the USA PATRIOT ACT21 broadened
the goals of regional law enforcement’s information sharing to cover
terrorist activities. The Enhanced Border Security and Visa Entry Reform
Act22 expanded law enforcement and intelligence information sharing
about aliens seeking to enter or stay in the United States. Most recently, the
Homeland Security Act23 provides the newly created DHS with wide access
to information held by federal agencies relating to “threats of terrorism”
against the United States. Section 891 expresses the “sense of Congress”
that “Federal, state, and local entities should share homeland security


19
     GAO-02-1122T.
20
 For example, see U.S. General Accounting Office, National Preparedness: Integrating
New and Existing Technology and Information Sharing into an Effective Homeland
Security Strategy, GAO-02-811T (Washington, D.C.: June 2002).
21
     P. L. 107-56.
22
     P. L. 107-173.
23
     P. L. 107-296.




Page 22                                                         GAO-03-322 Terrorist Watch Lists
                            information to the maximum extent practicable.” Further, section 892 of
                            the Act requires the President to prescribe and implement procedures for
                            the sharing of “homeland security information” among federal agencies and
                            with state and local agencies, and section 895 requires the sharing of grand
                            jury information.



Watch List Sharing Is Not   The President’s homeland security strategy stresses the importance of
Supported by a Common       information sharing and identifies, among other things, the lack of a
                            common systems architecture—and the resultant incompatible watch list
Architecture                systems and data—as an impediment to systems’ interoperating effectively
                            and efficiently. To address this impediment, the strategy proposes
                            developing a “system of systems” that would allow greater information
                            sharing across federal agencies as well as among federal agencies, state
                            and local governments, private industry, and citizens.

                            In order for systems to work more effectively and efficiently, each system’s
                            key components have to meet certain criteria. In particular, their operating
                            systems24 and applications 25 have to conform to certain standards that are
                            in the public domain, their databases have to be built according to
                            explicitly defined and documented data schemas and data models, and
                            their networks have to be connected. More specifically, critical system
                            components would have to adhere to common standards, such as open
                            systems standards, to ensure that different systems interoperate.26 One
                            source for open system standards is the International Organization for
                            Standardization.27 Also, these systems’ data would have to have common—
                            or at least mutually understood—data definitions so that data could, at a
                            minimum, be received and processed, and potentially aggregated and


                            24
                             An operating system is the program that manages all the other programs (called
                            applications) in a computer.
                            25
                             An application is a program that is designed to perform a specific function for the user or
                            another program.
                            26
                             Open system standards are standards, such as the ISO Open Systems Interconnection
                            model that, when followed, result in a computer system that can incorporate all devices that
                            use the same communications facilities and protocols, regardless of make or model.
                            27
                             The International Organization for Standardization is an international association of
                            member countries, each of which is represented by its leading standard-setting
                            organization—for example, ANSI (American National Standards Institute) for the United
                            States.




                            Page 23                                                    GAO-03-322 Terrorist Watch Lists
analyzed. Such data definitions are usually captured in a data dictionary. 28
Further, these systems would have to be connected to each other via a
telecommunications network or networks. When system components and
data do not meet such standards, additional measures have to be employed,
such as acquiring or building and maintaining unique system interfaces
(hardware and software) or using manual workarounds. These measures
introduce additional costs and reduce efficiency and effectiveness.

The 12 automated watch list systems do not meet all of these criteria (see
table 2). For example, they use three different types of operating systems,
each of which stores data and files differently. Overcoming these
differences requires the use of software utilities to bridge the differences
between systems. Without such utilities, for example, a Windows-based
system cannot read data from a diskette formatted by a UNIX-based
system.




28
  A data dictionary is a collection of descriptions of the data objects or items in a data
model, including a descriptive name; relationships to other data items, structures, and types
(text or image or binary value); possible predefined values; and a text description. Such
dictionaries are used for the benefit of programmers and others who need to refer to them in
developing or operating and maintaining systems.




Page 24                                                    GAO-03-322 Terrorist Watch Lists
Table 2: Selected Architectural Characteristics of the 12 Watch List Systems


                                                Are the
                          Is the operating      software                                  Is the
                          system                applications                              system
                          compatible with       compliant           Is the data           connected
                          all other watch       with open           dictionary            to an
Watch list                list operating        system              available and         external
database                  systems?              standards?          shared?               network?
Consular Lookout   No                           No                  Yes                   Yes
and Support System
TIPOFF                    No                    No                  Yes                   No

Interagency Border        No                    No                  Yes                   No
Inspection System
National Automated No                           No                  No                    No
Immigration Lookout
System
Warrant Information No                          No                  Yes                   Yes
Network
Automated                 No                    No                  No                    No
Biometric
Identification
System
Violent Gang and          No                    No                  Yes                   Yes
Terrorist
Organization Filea
Integrated                No                    Yes                 Yes                   Yes
Automated
Fingerprint
Identification
Systema
Top Ten Fugitive List No                        Yes                 No                    Yes
                                                                               b
Interpol Terrorism        No                    Yes                 Unknown               No
Watch List
No-Fly List               No                    No                  No                    No
Selectee List             No                    No                  No                    No
Source: GAO.
a
System is connected to a network, but databases are not accessible directly from the network.
b
 Officials from the U.S. National Central Bureau for Interpol stated that they did not know to what extent
Interpol headquarters shares its data dictionary with others.


Also, nine of the systems do not have software applications that comply
with open system standards. In these cases, agencies may have had to




Page 25                                                            GAO-03-322 Terrorist Watch Lists
                          invest time and resources in designing, developing, and maintaining unique
                          interfaces29 so that the systems can exchange data.

                          Further, five of the systems’ databases do not have a data dictionary, and of
                          the remaining seven systems that do have data dictionaries, at least one is
                          not sharing its dictionary with other agencies. Without both the existence
                          and sharing of these data dictionaries, meaningful understanding of data
                          received from another agency could require an added investment of time
                          and resources to interpret and understand what the received data mean.
                          Moreover, aggregation and analysis of the data received with the data from
                          other watch lists may require still further investment of time and resources
                          to restructure and reformat the data in a common way.

                          Last, seven of the systems are not connected to a network outside of their
                          agencies or departments. Our experience has shown that without network
                          connectivity, watch list data sharing among agencies can occur only
                          through manual intervention. According to several of these agencies, the
                          manual workarounds are labor-intensive and time-consuming, and they
                          limit the timeliness of the data provided. For example, data from the
                          TIPOFF system are shared directly with the National Automated
                          Immigration Lookout System through a regular update on diskette. Those
                          data are then transferred from the National Automated Immigration
                          Lookout System to the Interagency Border Inspection System.

                          The President’ s strategy attributes these differences to the agencies’
                          building their own systems to meet agency-specific mission needs, goals,
                          and policies, without knowledge of the information needs and policies of
                          the government as a whole. As noted and depicted in figure 6, this approach
                          has resulted in an overly complex, unnecessarily inefficient, and potentially
                          ineffective federal watch list sharing environment.



Opportunities Exist for   As addressed in the preceding sections of this report, federal watch lists
                          share a common purpose and support the border security mission.
Consolidating Watch       Nevertheless, the federal government has developed, maintains, and—
Lists and Improving       along with state and local governments and private entities—uses 12
                          separate watch lists, some of which contain the same types of data.
Information Sharing       However, this proliferation of systems, combined with the varying policies

                          29
                           An interface is the point at which a connection is made between two elements, such as
                          systems, so that they can work with one another.




                          Page 26                                                  GAO-03-322 Terrorist Watch Lists
and procedures that govern the sharing of each, as well as the architectural
differences among the automated lists, create strong arguments for list
consolidation. The advantages of doing so include faster access, reduced
duplication, and increased consistency, which can reduce costs and
improve data reliability.

Most of the agencies that have developed and maintain watch lists did not
identify consolidation opportunities. Of the nine federal agencies that
operate and maintain watch lists, seven reported that the current state and
configuration of federal watch lists meet their mission needs, and that they
are satisfied with the level of watch list sharing. However, two agencies
supported efforts to consolidate these lists. The State Department’s Bureau
of Consular Affairs and the Justice Department’s U.S. Marshals Service
agreed that some degree of watch list consolidation would be beneficial
and would improve information sharing. Both cited as advantages of
consolidation the saving of staff time and financial resources by limiting
the number of labor-intensive and time-consuming data transfers, and one
also cited the reduction in duplication of data that could be realized by
decreasing the number of agencies that maintain lists.

The President’s strategy also recognizes that watch list consolidation
opportunities exist and need to be exploited. More specifically, the strategy
states that the events of September 11th raised concerns regarding the
effectiveness of having multiple watch lists and the lack of integration and
sharing among them. To address these problems, the strategy calls for
integrating the numerous and disparate systems that support watch lists as
a way to reduce the variations in watch lists and remove barriers to sharing
them.

To implement the strategy, Office of Homeland Security officials have
stated in public settings that they were developing an enterprise
architecture for border and transportation security, which is one of the six
key mission areas of the newly created DHS.30 They also reported the
following initial projects under this architecture effort: (1) developing a
consolidated watch list that brings together information on known or
suspected terrorists in the federal agencies’ watch lists, and

30
 The President’s July 2002 homeland security strategy assigns responsibility to the Critical
Infrastructure Assurance Office (in the Commerce Department) for developing the
enterprise architecture for data sharing and to the FBI for consolidating watch lists.
Officials at these two agencies told us that their respective responsibilities were
subsequently assumed by the Office of Homeland Security.




Page 27                                                    GAO-03-322 Terrorist Watch Lists
                      (2) establishing common metadata or data definitions for electronic watch
                      lists and other information that is relevant to homeland security. However,
                      the Office of Homeland Security did not respond to our inquiries about this
                      effort, and thus we could not determine the substance, status, and schedule
                      of any watch list consolidation activities. Since then, the DHS Chief
                      Information Officer told us that DHS has assumed responsibility for these
                      efforts.



Conclusions           Our nation’s success in achieving its homeland security mission depends in
                      large part on its ability to get the right information to the right people at the
                      right time. Terrorist and criminal watch lists make up one category of such
                      information. To date, the federal watch list environment has been
                      characterized by a proliferation of systems, among which information
                      sharing is occurring in some cases but not in others. This is inconsistent
                      with the most recent congressional and presidential direction. Our
                      experience has shown that even when sharing is occurring, costly and
                      overly complex measures have had to be taken to facilitate it. Cultural and
                      technological barriers stand in the way of a more integrated, normalized set
                      of watch lists, and agencies’ legal authorities and individuals’ civil liberties
                      are also relevant considerations. To improve on the current situation,
                      central leadership—spanning not only the many federal agencies engaged
                      in maintaining and using watch lists, but also the state and local
                      government and the private-sector list users—is crucial to introducing an
                      appropriate level of watch list standardization and consolidation while still
                      enforcing relevant laws and allowing agencies to (1) operate appropriately
                      within their unique mission environments and (2) fulfill their unique
                      mission needs. Currently, the degree to which such leadership is occurring,
                      and the substance and status of consolidation and standardization efforts
                      under way, are unclear. In our view, it is imperative that Congress be kept
                      fully informed of the nature and progress of such efforts.



Recommendations for   To promote better integration and sharing of watch lists, we recommend
                      that DHS’s Secretary, in collaboration with the heads of the departments
Executive Action      and agencies that have and use watch lists, lead an effort to consolidate
                      and standardize the federal government’s watch list structures and policies.
                      To determine and implement the appropriate level of watch list
                      consolidation and standardization, we further recommend that this
                      collaborative effort include




                      Page 28                                            GAO-03-322 Terrorist Watch Lists
                      1. updating the watch list information provided in this report, as needed,
                         and using this information to develop an architectural understanding of
                         our nation’s current or “as is” watch list environment;

                      2. defining the requirements of our nation’s target or “to be” watch list
                         architectural environment, including requirements that address any
                         agency-unique needs that can be justified, such as national security
                         issues and civil liberty protections;

                      3. basing the target architecture on achievement of the mission goals and
                         objectives contained in the President’s homeland security strategy and
                         on congressional direction, as well as on opportunities to leverage state
                         and local government and private-sector information sources;

                      4. developing a near-term strategy for implementing the target
                         architecture that provides for the integration of existing watch lists, as
                         well as a longer-term strategy that provides for migrating to a more
                         consolidated and standardized set of watch lists;

                      5. ensuring that these strategies provide for defining and adopting more
                         standard policies and procedures for watch list sharing and addressing
                         any legal issues affecting, and cultural barriers to, greater watch list
                         sharing; and

                      6. developing and implementing the strategies within the context of the
                         ongoing enterprise architecture efforts of each of the collaborating
                         departments and agencies.

                      In addition, we recommend that the Secretary report to Congress by
                      September 30, 2003, and every 6 months thereafter, on the status and
                      progress of these efforts, as well as on any legislative action needed to
                      accomplish them.



Agency Comments And   In commenting on a draft this report, three of the six departments provided
                      either written (Justice and State) or oral (DHS) comments. The remaining
Our Evaluation        three departments (Defense, Transportation, and Treasury) said that they
                      had reviewed the draft but had no comments. The Office of Homeland
                      Security was also provided with a draft but said that it would not comment.
                      The departments that provided comments generally agreed with our
                      findings and recommendations. They also (1) provided technical
                      comments, which we have incorporated as appropriate in the report, and



                      Page 29                                          GAO-03-322 Terrorist Watch Lists
(2) offered department-unique comments, which are summarized and
evaluated below.

In his oral comments, DHS’s Chief Information Officer stated that the
department now has responsibility for watch list consolidation.
Additionally, the Chief Information Officer generally described DHS’s plans
for watch list consolidation and agreed that our recommendations were
consistent with the steps he described. In light of DHS’s assumption of
responsibility for watch list consolidation, we have modified our
recommendations to direct them to the DHS Secretary.

In its written comments, Justice stated that, in addition to cultural
differences, there are other reasons why agencies do not share watch list
information, such as national security and civil liberty requirements, and
that these requirements complicate the consolidation of watch list
information. Justice also stated that, while it agrees that there is a need to
establish a common watch list architecture to facilitate sharing, this need
should not impede short-term efforts to improve sharing. We agree with
Justice’s first point, which is why our recommendations provide for
ensuring that all relevant requirements, which would include pertinent
national security and civil liberty protections, are taken into consideration
in developing our nation’s watch list architectural environment. To make
this more explicit, we have modified our recommendations to specifically
recognize national security and civil liberty requirements. We also agree
with Justice’s second point, and thus our recommendations also provide
for pursuing short-term, cost-effective initiatives to improve watch list
sharing while the architecture is being developed. (Justice’s comments are
reprinted in app. II.)

In its written comments, State said that our report makes a number of
valuable points concerning the benefits of watch list consolidation,
enterprise architecture, and information sharing. However, State also said
that our report (1) attributed watch list differences solely to varying agency
cultures, (2) seemed to advocate a “one size fits all approach,” and (3) often
makes the assumption that software and systems architecture differences
necessarily obstruct information sharing. With respect to State’s first point,
our report states clearly that watch list differences are attributable not only
to varying cultural environments, but also to each agency’s unique mission
needs and its legal and technical environments as well. Concerning State’s
second point, our report does not advocate a “one size fits all” solution.
Rather, our recommendation explicitly calls for DHS to lead a
governmentwide effort to, among other things, determine the appropriate



Page 30                                           GAO-03-322 Terrorist Watch Lists
degree of watch list consolidation and standardization needed and to
consider in this effort the differences in agencies’ missions and needs.
Regarding State’s last point, our report does not state or assume that
differences in software and system architecture categorically obstruct or
preclude information sharing. Instead, we state that those differences
requiring additional measures—such as building and maintaining unique
system interfaces or using manual workarounds—introduce additional
costs and reduce efficiency and effectiveness. (State’s comments are
reprinted in app. III.)


As agreed with your office, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 15 days from the
date on the report. At that time, we will send copies of the report to other
congressional committees. We will also send copies to the Directors of the
Offices of Homeland Security and Management and Budget, and the
Secretaries of the Departments of Defense, Homeland Security, Justice,
State, Transportation, and the Treasury. Copies will also be made available
at our Web site at www.gao.gov.

Should you or your offices have questions on matters discussed in this
report, please contact me at (202) 512-3439. I can also be reached by E-mail
at hiter@gao.gov. An additional GAO contact and staff acknowledgments
are listed in appendix V.




Randolph C. Hite
Director, Information Technology Architecture
and Systems Issues




Page 31                                           GAO-03-322 Terrorist Watch Lists
Appendix I

Objectives, Scope, and Methodology                                                             AA
                                                                                                ppp
                                                                                                  ep
                                                                                                   ned
                                                                                                     n
                                                                                                     x
                                                                                                     id
                                                                                                      e
                                                                                                      x
                                                                                                      Iis




              Our objectives were to identify (1) federal databases and systems that
              contain watch lists, the agencies that maintain and use these watch lists in
              protecting our nation’s borders, and the kinds of data these watch lists
              contain; (2) whether federal agencies’ sharing of watch list data is governed
              by policies and procedures; (3) whether watch lists are (a) being
              exchanged among federal agencies and between federal agencies and state,
              local, and private organizations and (b) supported by common system
              architectures (system hardware, software, and data characteristics); and
              (4) whether opportunities exist for consolidating watch lists.

              The scope of our work was based on the federal government’s agency
              structure before the formation of the Department of Homeland Security.
              We focused on the agencies that use or maintain watch lists in performing
              border security functions. We identified these departments and agencies
              through discussions with federal government officials knowledgeable
              about the U.S. border security mission area.

              The specific departments and agencies included in our scope were:

              • Department of Justice

                 • Federal Bureau of Investigation

                 • Immigration and Naturalization Service

                 • U.S. Marshals Service

                 • U.S. National Central Bureau for Interpol

              • Department of State

                 • Bureau of Consular Affairs

                 • Bureau of Intelligence and Research

              • Department of the Treasury

                 • U.S. Customs Service

              • Department of Defense

                 • Air Force Office of Special Investigations



              Page 32                                           GAO-03-322 Terrorist Watch Lists
Appendix I
Objectives, Scope, and Methodology




• Department of Transportation

   • Transportation Security Administration.

To address our objectives, we surveyed each of the agencies cited above,
using a data collection instrument. To develop this instrument, we
reviewed, among other things, past GAO and other reports on watch lists
and on the border security process, along with relevant guidance on such
topics as systems interoperability, enterprise architecture management,
database management, and information sharing. We used this research to
develop a series of questions designed to obtain and aggregate information
necessary to answer our objectives. We then incorporated these questions
into the questionnaire (see app. IV for a copy of the questionnaire). We
pretested the questionnaire at two federal agencies, made adjustments
based on the pretest, and then transmitted it to the agencies cited above on
July 29, 2002. Responses from agencies were received from August 2002
through October 2002. We did not independently verify agency responses.
However, we did contact agency officials when necessary to clarify their
responses.

Next, we compiled the agencies’ responses to determine the number of
watch lists being used, confirm the universe of agencies that have lists, and
determine the number of organizations that use the lists and the kinds of
data the lists contain. We also analyzed the agencies’ policies and
procedures governing watch list sharing. In addition, we reviewed the
survey responses to determine the degree of sharing among federal, state,
local, and private-sector entities, and we compared the extent of sharing
with the sharing goals contained in the President’s homeland security
strategy and the Homeland Security Act of 2002. Moreover, we aggregated
the agencies’ descriptions of their watch list systems architectures and
analyzed them to identify similarities and differences. We also analyzed the
architectural components of the watch list systems and compared them
with the standards required for systems to interoperate and share data
efficiently and effectively. Finally, we analyzed the agencies’ responses on
watch list consolidation, to identify whether there were opportunities for
consolidating watch lists and, if so, what the benefits were of doing so.

Additionally, we reviewed the President’s homeland security strategy,
homeland security legislation and agency budget requests, and other public
documents to identify federal government efforts related to maintaining
and sharing watch lists. We also attended conferences and other public
events at which Office of Homeland Security officials spoke on homeland



Page 33                                          GAO-03-322 Terrorist Watch Lists
Appendix I
Objectives, Scope, and Methodology




security enterprise architecture and watch list standardization and
consolidation efforts. We attempted to meet with Office of Homeland
Security officials, but they declined to meet with us. As a result, we
submitted written questions to the Office of Homeland Security, but
received no response.

We conducted our work at the headquarters of the nine federal agencies
identified above, in and around the Washington, D.C., metropolitan area,
from July 2002 through March 2003, in accordance with generally accepted
government auditing standards.




Page 34                                         GAO-03-322 Terrorist Watch Lists
Appendix II

Comments from the Department of Justice                        Appendx
                                                                     Ii




              Page 35           GAO-03-322 Terrorist Watch Lists
Appendix II
Comments from the Department of Justice




Page 36                                   GAO-03-322 Terrorist Watch Lists
Appendix III

Comments from the Department of State                         Appendx
                                                                    iI




               Page 37         GAO-03-322 Terrorist Watch Lists
Appendix III
Comments from the Department of State




Page 38                                 GAO-03-322 Terrorist Watch Lists
Appendix III
Comments from the Department of State




Page 39                                 GAO-03-322 Terrorist Watch Lists
Appendix IV

GAO’s Survey Instrument                                                                                                                  Appendx
                                                                                                                                               iIV




                                                     United States General Accounting Office


                                                     Survey of Federal Agencies’ Use of “Watch
                                                     Lists” of Domestic and International Terrorists
                                                     and Criminals
              Introduction                                                     department or agency that can answer any questions
              The U.S. General Accounting Office (GAO), an                     we may have about your survey responses. Please note
              investigative agency of Congress, is studying federal            that parts II, IV, and V should be answered for each
              agency “watch lists.” Our objectives are to identify:            watch list developed, maintained, or used by your
              (1) databases and systems that contain watch lists of            agency. Additional survey pages are provided at the
              domestic and international terrorists and criminals;             end of the survey if you have more than one watch list.
              (2) agencies that maintain and use these databases and
              systems; (3) policies and procedures that govern the             Agency Contact
              sharing of watch list data; (4) the kinds of data that are       Name: _______________________________
              currently being exchanged among federal, state, and              Title: ________________________________
              local governments and private sector firms and                   Organization: _________________________
              associations; (5) the architectural characteristics of           Telephone: ___________________________
              watch list databases and systems; and (6) opportunities          Fax: _________________________________
              for consolidating these databases and systems.                   E-Mail: ______________________________

              Watch lists—commonly referred to as lookout, target,
              or tip-off lists—contain information on known and                If you have any questions, please contact:
              suspected domestic and international terrorists and
              criminals. They are used by federal, state, and local            Gary N. Mountjoy, Assistant Director
              agencies to identify, monitor, and apprehend known               Voice: (202) 512-6367
              and suspected terrorists and criminals who pose threats          Fax: (202) 512-6450
              to U.S. national security and welfare.                           E-Mail: mountjoyg@gao.gov

              Please complete this survey and return it by August 19,
              2002. Use readily available data whenever possible;              Tonia L. Johnson, Analyst-in-Charge
              we are not asking agencies to perform extensive                  Voice: (202) 512-6447
              analyses in order to respond to these questions. The             Fax: (202) 512-6451
              survey has several parts. Part I requests information on         E-Mail: johnsontl@gao.gov
              your agency’s definition of domestic and international
              terrorists and criminals. Parts II and IV ask for general        Thank you very much for your time. We understand
              information about watch list development,                        that the information you provide may be sensitive, and
              maintenance, and use. Part III asks, among other                 it will be protected against unauthorized disclosure in
              things, about policies and procedures for sharing watch          accordance with the level of classification that you
              lists. Part V asks questions about the information               specify on your completed form. Classified documents
              architecture of each watch list your organization uses,          should be mailed to the attention of Dolores McGhee,
              and Part VI asks whether any of these watch lists                Security Officer, at the GAO address given at the end
              and/or the databases and systems in which they reside            of the survey. Ms. McGhee can be contacted at (202)
              could be productively consolidated. Please provide the           512-8116 if you have any questions or concerns.
              name and telephone number of a contact for your




                                                                           1




                        Page 40                                                                       GAO-03-322 Terrorist Watch Lists
           Appendix IV
           GAO’s Survey Instrument




I. Definition of Domestic and                                        1. Is your watch list limited to terrorists, or does it
                                                                        include information on others?
   International Terrorist and/or
   Criminal                                                              1. [   ]   Terrorists only
                                                                         2. [   ]   Terrorists and others, such as criminals
What is your agency’s definition of a “known or                          3. [   ]   Criminals only
suspected domestic and/or international terrorist or
                                                                         4. [   ]   Other (please specify): _________
criminal.”
                                                                                     ___________________________
    _______________________________________                                          ___________________________
    _______________________________________                          2. Is this list maintained electronically, manually (on
    _______________________________________                             paper), or by a combination of these methods?
    _______________________________________
    _______________________________________                              1. [ ] Electronically only
    _______________________________________                              2. [ ] Manually (on paper) only
                                                                         3. [ ] Both electronically and manually
    _______________________________________
    _______________________________________
    ____________________________________                             3. How many names are on this list as of August 1,
                                                                         2002? __________ (number)
II. Watch List Development and/or
                                                                     4. Are the data source(s) for this list internal or
    Maintenance                                                         external?

Please provide the requested information for                             1. [ ] Internal only
each watch list1 developed and/or maintained                             2. [ ] External only
by your agency. Additional pages are provided                            3. [ ] Both Internal and External
in appendix I if you have more than one watch
list. If you do not develop or maintain any                          5. Describe how your agency determines the names
                                                                        that are added to this watch list, including a
watch lists, please go directly to part III.
                                                                        description of the criteria used to make such
                                                                        determinations. If additional space is needed, add
Name of Watch List: ______________________
                                                                        pages as necessary.
_________________________________________
Purpose of Watch List _____________________
                                                                         _______________________________________
_________________________________________
_________________________________________                                _______________________________________
_________________________________________                                _______________________________________
                                                                         _______________________________________
                                                                         _______________________________________
                                                                         _______________________________________
                                                                         _______________________________________
                                                                         _______________________________________
                                                                         _______________________________________



1
  A watch list—also referred to as lookout, target, or tip-off
list—contains information on known and suspected domestic
and international terrorists and criminals and is used by
federal, state, and local agencies to identify, monitor, and
apprehend these terrorists and criminals.

                                                                 2




           Page 41                                                                              GAO-03-322 Terrorist Watch Lists
           Appendix IV
           GAO’s Survey Instrument




6. What controls are in place to help ensure that the         9. How often is this watch list updated?
   procedures for adding names to the watch list are
   consistently applied?                                          1. [   ]    Real-time
   _______________________________________                        2. [   ]    Daily
   _______________________________________                        3. [   ]    Weekly
   _______________________________________                        4. [   ]    Monthly
   _______________________________________                        5. [   ]    Quarterly
   _______________________________________                        6. [   ]    Semi-annually
                                                                  7. [   ]    Annually
   _______________________________________
                                                                  8. [   ]    Other (please specify): ________________
   _______________________________________
   _______________________________________
   _______________________________________                    10. For this list, what is the level of classification of
                                                                  data as specified by Executive Order 129582?
7. Describe how your agency determines the names                  1. [ ] Unclassified
   that are removed from this watch list, including a             2. [ ] Confidential
   description of the criteria used to make such                  3. [ ] Secret
   determinations. If additional space is needed, add             4. [ ] Top Secret
   pages as necessary.                                            5. [ ] Other (please specify):
                                                                       _____________________________________
     _______________________________________                           _____________________________________
     _______________________________________
     _______________________________________
                                                              11. Does this watch list information allow individuals
     _______________________________________                      with false identities to be detected?
     _______________________________________
     _______________________________________                             1.    [ ] Yes
     _______________________________________                             2.    [ ] No


8.   What controls are in place to help ensure that the       12. Does this watch list information allow individuals
     procedures for deleting names from the watch list            with false documents to be detected?
     are consistently applied?
     _______________________________________
                                                                         1.    [ ] Yes
     _______________________________________                             2.    [ ] No
     _______________________________________
     _______________________________________
     _______________________________________
     _______________________________________
     _______________________________________




                                                              2
                                                               Executive Order 12958 specifies how information
                                                              related to national defense and foreign relations is to be
                                                              maintained and protected against unauthorized
                                                              disclosure. It provides a hierarchy of three levels, with
                                                              different levels of protection depending on the
                                                              sensitivity of the information.
                                                          3




           Page 42                                                                       GAO-03-322 Terrorist Watch Lists
              Appendix IV
              GAO’s Survey Instrument




13. Please tell us whether the list includes any of the         14. Do you share all or some of the information in this
    following items by placing a check (3) in the                   list with other federal, state, or local government
    appropriate column.                                             agencies and/or others (e.g., private sector firms,
                                                                    associations, etc.)? Please check (3) yes or no for
Watch List Data Items                                               each type of organization.
Biometric Data                    Included   Not Included
                                                                                                        Yes     No
Two-print fingerprints
                                                                    Federal Agencies
Ten-print fingerprints
                                                                    State Agencies
Iris Images                                                         Local Agencies
Facial Images                                                       Private sector firms and
Hand Images                                                         associations
Photographs                                                         Other (please specify):
Other (please specify):
Biographical Data
Name
Aliases                                                                 If you answered no to all of the categories
Address                                                                 above, please explain why you do not share
Date of Birth                                                           this information with others, and then
Nationality/Citizenship                                                 proceed to Part III. If additional space is
Passport Number                                                         needed, add pages as necessary.
Name of Country Issuing
Passport/Visa                                                       _______________________________________
Other (please specify):                                             _______________________________________
Criminal Histories                                                  _______________________________________
Arrests                                                             _______________________________________
Warrants Issued                                                     _______________________________________
Other (please specify):
                                                                    _______________________________________
Immigration Record
                                                                    _______________________________________
Countries Visited
                                                                    _______________________________________
Type of Visa Granted
(e.g., student, Tourist, etc.)                                      _______________________________________
Date of arrival                                                     _______________________________________
Date of departure                                                   _______________________________________
Other (please specify):                                             _______________________________________
Travel Records                                                      _______________________________________
Dates of travel
                                                                    _______________________________________
Departure country
                                                                    _______________________________________
Destination country
                                                                    _______________________________________
Purpose of travel
Other (please specify):                                             _______________________________________
Financial Transactions                                              _______________________________________
Large currency transactions                                         _______________________________________
Credit card requests                                                _______________________________________
Other (please specify):                                             _______________________________________
Other Data Groups (please specify):
_____________________________
_____________________________
_____________________________
_____________________________

                                                            4




              Page 43                                                                  GAO-03-322 Terrorist Watch Lists
         Appendix IV
         GAO’s Survey Instrument




15. For each of the categories in question 14 that you
    answered yes to, please check all of the types of
    organizations you share data with:

   a. Federal Agencies:
       1. [ ] Law Enforcement
       2. [ ] Intelligence
       3. [ ] Other (please specify): _____________
               _______________________________
               _______________________________

   Please list the federal agencies you share data with.
   If additional space is needed, add pages as necessary.
   _______________________________________
   _______________________________________
   _______________________________________
   _______________________________________
   _______________________________________
   _______________________________________
   _______________________________________
   b. State Agencies:
       1. [ ] Law Enforcement
       2. [ ] Intelligence
       3. [ ] Other (please specify): _____________
                _______________________________
                _______________________________

   c. Local Agencies:
       1. [ ] Law Enforcement
       2. [ ] Intelligence
       3. [ ] Other (please specify): _____________
               _______________________________
              _______________________________

   d. Private sector firms and associations:
       1. [ ] Commercial Airlines
       2. [ ] Ship Lines
       3. [ ] Other (please specify): _____________
              _______________________________
              _______________________________




                                                         5




         Page 44                                             GAO-03-322 Terrorist Watch Lists
              Appendix IV
              GAO’s Survey Instrument




16. Of the data items in your watch list, which ones do you share and with which organizations? For each item, please
   circle whether or not you share the item with the type of organization specified in the categories in the table below.

Watch List Data Items

                                            Federal Law           Federal       State         Local         Private
                                            Enforcement         Intelligence   Agencies      Agencies     Sector Firms
                                             Agencies            Agencies                                      &
                                                                                                          Associations
Biometric Data                               Yes or No          Yes or No      Yes or No     Yes or No     Yes or No
Two-print fingerprints                       Y      N            Y      N      Y     N        Y    N        Y     N
Ten-print fingerprints                       Y      N            Y      N      Y     N        Y    N        Y     N
Iris Images                                  Y      N            Y      N      Y     N        Y    N        Y     N

Facial Images                                Y      N            Y      N      Y     N        Y    N        Y     N
Hand Images                                  Y      N            Y      N      Y     N        Y    N        Y     N
Photographs                                  Y      N            Y      N      Y     N        Y    N        Y     N
Biographical Data

Name                                         Y      N            Y      N      Y     N        Y    N        Y     N
Aliases                                      Y      N            Y      N      Y     N        Y    N        Y     N
Address                                      Y      N            Y      N      Y     N        Y    N        Y     N
Date of Birth                                Y     N             Y      N      Y      N       Y     N       Y     N
Nationality/Citizenship                      Y      N            Y      N      Y     N        Y    N        Y     N
Passport Number                              Y      N            Y      N      Y     N        Y    N        Y     N
Name of Country Issuing Passport/Visa        Y      N            Y      N      Y     N        Y    N        Y     N
Other (please specify):                      Y      N            Y      N      Y     N        Y    N        Y     N
Criminal Histories
Arrests                                      Y      N            Y      N      Y     N        Y    N        Y     N
Warrants Issued                              Y      N            Y      N      Y     N        Y    N        Y     N
Other (please specify):                      Y      N            Y      N      Y     N        Y    N        Y     N
Immigration Record
Countries Visited                            Y      N            Y      N      Y     N        Y    N        Y     N
Type of Visa Granted (e.g., student)         Y      N            Y      N      Y     N        Y    N        Y     N
Date of arrival                              Y      N            Y      N      Y     N        Y    N        Y     N
Date of departure                            Y      N            Y      N      Y     N        Y    N        Y     N
Other (please specify):
Travel Records
Dates of travel                              Y      N            Y      N      Y     N        Y    N        Y     N
Departure country                            Y      N            Y      N      Y     N        Y    N        Y     N
Destination country                          Y      N            Y      N      Y     N        Y    N        Y     N
Purpose of travel                            Y      N            Y      N      Y     N        Y    N        Y     N

Other (please specify):
Financial Transactions
Large currency transactions                  Y      N            Y      N      Y     N        Y    N        Y     N
Credit card requests                         Y      N            Y      N      Y     N        Y    N        Y     N
Other (please specify):
_____________________________
_____________________________
_____________________________


                                                            6




              Page 45                                                                      GAO-03-322 Terrorist Watch Lists
          Appendix IV
          GAO’s Survey Instrument




17. For each item in question 16 for which you               _______________________________________
    answered no, please tell us the reason(s) why data       _______________________________________
    is not made available to other federal, state, or
                                                             _______________________________________
    local agencies or to private sector firms and
    associations.                                            _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  ______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________
    _______________________________________                  _______________________________________

                                                         7




          Page 46                                                           GAO-03-322 Terrorist Watch Lists
            Appendix IV
            GAO’s Survey Instrument




III. Watch List Policies and Procedures                      3. Does your agency share watch list information
                                                                with other agencies without an official data
Please answer the following questions                           sharing agreement, memorandum of understanding
                                                                or other agreements?
regarding policies and procedures for the
sharing of watch list information. If you do not                       1.   [ ] Yes
have watch list–specific policies and                                  2.   [ ] No
procedures, please answer the questions based
on any general information sharing policies and                    If yes, please specify below the agencies or
procedures you have.                                               organization(s) and information or watch list
                                                                   shared.
1. Does your agency have written policies and/or                _______________________________________
   procedures governing the sharing of watch list               _______________________________________
   information?
                                                                _______________________________________
       1.    [ ] Yes                                            _______________________________________
       2.    [ ] No                                             _______________________________________
                                                                _______________________________________
       If yes, please enclose a copy of these policies          _______________________________________
       and procedures. If you have different policies
       and procedures for different organizations or
       different watch lists, please provide copies of
       each set of policies and procedures, clearly
       identifying the organizations and/or lists            4. Does your agency share watch list information with
       governed by each.                                        others electronically, manually, or both?

2. Does your agency require an official data sharing            1. [   ]    Electronically only
   agreement, memorandum of understanding, or                   2. [   ]    Manually (on paper) only (go to part IV)
   other agreement in order to share watch list                 3. [   ]    Both electronically and manually
   information with another agency or organization?             4. [   ]    Neither, we do not share our watch list
                                                                            information (go to part IV)
       1.    [ ] Yes
       2.    [ ] No

      If yes, please specify below the agencies or
      organizations with which your agency has
      official data sharing agreements, memoranda
      of understanding, or other agreement
      currently in place.
   _______________________________________
   _______________________________________
   _______________________________________
   _______________________________________
   _______________________________________
   _______________________________________
   _______________________________________
   _______________________________________
   _______________________________________




                                                         8




            Page 47                                                                     GAO-03-322 Terrorist Watch Lists
          Appendix IV
          GAO’s Survey Instrument




5. If you share watch lists by transferring electronic
   data, please place a check (3) in the appropriate
   column(s) below.

Electronic Data Transfer Methods        Yes    No
Tapes
Disks or diskettes
Electronic files via
telecommunications links (e.g.,
e-mail)
FAX
File Transfer Protocol
Telnet
Web Access (Hypertext Transfer
Protocol (HTTP) or HTTP over
Secure Socket Layer (HTTPS))
Secure Community of Interest (such
as Intel-Link)
Other (please specify):
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________




                                                         9




          Page 48                                            GAO-03-322 Terrorist Watch Lists
              Appendix IV
              GAO’s Survey Instrument




IV. Watch List Users—Those Who                                         3. If you share watch lists by transferring electronic
                                                                          data, please place a check (3) in the appropriate
    Access and Use Other Agencies’                                        column(s) below.
    Watch Lists
                                                                       Electronic Data Transfer Methods          Yes   No
Please provide the requested information for                           Tapes
each watch list3 provided by another agency.                           Disks or diskettes
Additional pages are provided in appendix II if                        Electronic files via
you have more than one watch list received                             telecommunications links (e.g.,
from another agency. If you do not receive                             e-mail)
others’ watch lists, please go directly to part V.                     FAX
                                                                       File Transfer Protocol
Name of Watch List: ______________________                             Telnet
_________________________________________                              Web Access (Hypertext Transfer
                                                                       Protocol (HTTP) or HTTP over
Agency Providing Watch List _______________                            Secure Socket Layer (HTTPS))
_________________________________________                              Secure Community of Interest (such
                                                                       as Intel-Link)
How does your agency use this watch list?                              Other (please specify):
_________________________________________                              _____________________________
_________________________________________                              _____________________________
_________________________________________                              _____________________________
_________________________________________                              _____________________________
                                                                       _____________________________
1. Does your agency receive and use watch list
   information on?
                                                                       4. Does your agency have data sharing agreement(s)
         1.    [   ]   Terrorists only                                    with the agencies you receive this list from?
         2.    [   ]   Terrorists and others, such as criminals
         3.    [   ]   Criminals only                                          1.     [ ] Yes
         4.    [   ]   Other (please specify): ____________                    2.     [ ] No
                       ______________________________

2. By what mechanism(s) does your agency receive                       5. Check (9) the box showing how frequently you
   watch list information?                                                receive updated watch list information:

         1. [ ] Electronically only                                            1. [   ]   Real-time
         2. [ ] Manually (on paper) only (go to                                2. [   ]   Daily
                question 4)                                                    3. [   ]   Weekly
         3. [ ] Both electronically and manually                               4. [   ]   Monthly
                                                                               5. [   ]   Quarterly
                                                                               6. [   ]   Semi-annually
                                                                               7. [   ]   Annually
                                                                               8. [   ]   Other (please specify):_____________




3
  A watch list—also referred to as lookout, target, or tip-off
list—contains information on known and suspected domestic
and international terrorists and criminals and are used by
federal, state, and local agencies to identify, monitor, and
apprehend these terrorists and criminals.

                                                                  10




              Page 49                                                                            GAO-03-322 Terrorist Watch Lists
             Appendix IV
             GAO’s Survey Instrument




6. Would receiving watch list information more               10. For this watch list, please check (9) the items not
   frequently improve your agency’s ability to                   provided and list the reason(s) the agency gave for
   identify, monitor, and/or apprehend known and                 not providing them.
   suspected terrorists and criminals?                         Watch List Data Items

                                                               Biometric Data                  Data Not   Reason Given For Not
        1.    [ ] Yes                                                                          Received   Providing
        2.    [ ] No                                           Two-print fingerprints
                                                               Ten-print fingerprints
                                                               Iris Images
                                                               Facial Images
7. Does this watch list information allow individuals          Hand Images
   with false identities to be detected?                       Photographs
                                                               Other (please specify):
        1.    [ ] Yes                                          Biographical Data
        2.    [ ] No                                           Name
                                                               Aliases
                                                               Address
8. Does this watch list information allow individuals          Date of Birth
   with false documents to be detected?                        Nationality/Citizenship
                                                               Passport Number
                                                               Name of Country Issuing
        1.    [ ] Yes                                          Passport/Visa
        2.    [ ] No                                           Other (please specify):
                                                               Criminal Histories
                                                               Arrests
 9. Does your agency receive all the data it requests          Warrants Issued
    from the agency providing this watch list?                 Other (please specify):
                                                               Immigration Record
        1.    [ ] Yes                                          Countries Visited
        2.    [ ] No                                           Type of Visa Granted (e.g.,
                                                               student, tourist)
                                                               Date of arrival
        If your answer is yes, please go directly to
                                                               Date of departure
        section V. If your answer is no, please
                                                               Other (please specify):
        proceed to question 10.
                                                               Travel Records
                                                               Dates of travel
                                                               Departure country
                                                               Destination country
                                                               Purpose of travel
                                                               Other (please specify):
                                                               Financial Transactions
                                                               Large currency transactions
                                                               Credit card requests
                                                               Other (please specify):
                                                               Other (please specify):




                                                        11




             Page 50                                                                         GAO-03-322 Terrorist Watch Lists
              Appendix IV
              GAO’s Survey Instrument




V. Information/Data Architecture
                                                               2. For this watch list, please provide in the table
                                                                  below the software architecture elements (by
Please provide the requested information for
                                                                  product name) of the database or system the list
each watch list identified in parts II and IV.                    resides on. In addition, where applicable, check
Additional pages are provided in appendix III                     (9) the standard your product is compliant with.
if you have more than one watch list. If your
                                                                                     Software Architecture
watch list does not reside in a computerized               Elements
database or system, skip to part VI.                       Operating System


Name of Watch List: _______________________                Database Management
_________________________________________                  System

                                                           Application Software      COTS _____
1. For this watch list, please provide in the table        (for COTS, provide the
   below the hardware architecture elements (by            product name; for         Internally
                                                           internally-developed,     Developed ______
   product name) of the database or system the list        give the agency name)
   resides on:                                             Computer
                                                           Programming
                                                           Language
                          Hardware Architecture
                                                           Data Access
Elements                                                   Middleware (please list
Computer                                                   product used and check    Open Database Connectivity _____
Platform (type,                                            if it is compliant with   Java Database Connectivity _____
manufacturer,                                              the listed standards or   Other (specify):
and model                                                  protocols)
number)
Disk Space                                                 Application
(bytes)                                                    Communication
                                                           Middleware (please list
Memory (bytes)
                                                           product used and check    Remote Procedure Call (RPC) model ______
                                                           if it is compliant with   Message Passing model ______
Application                                                the listed standards or
                                                                                     Message Queuing model _______
Architecture (e.g,                                         protocols)
                                                                                     Publish and Subscribe model ______
mainframe,
client-server)                                                                       Other (please specify):
Other (please specify):
                                                           Other (please specify):
_____________________________________________
                                                           _____________________________________________
_____________________________________________
                                                           _____________________________________________
_____________________________________________
                                                           _____________________________________________
_____________________________________________
                                                           _____________________________________________
_____________________________________________
                                                           _____________________________________________
_____________________________________________
                                                           _____________________________________________
_____________________________________________
                                                           _____________________________________________
_____________________________________________
                                                           _____________________________________________
_____________________________________________
                                                           _____________________________________________
_____________________________________________
                                                           _____________________________________________




                                                      12




              Page 51                                                                     GAO-03-322 Terrorist Watch Lists
                 Appendix IV
                 GAO’s Survey Instrument




3. For this watch list, please check (9) below any of               6. Is the database or system your list resides on stand-
   the software infrastructure standards your system or                alone4 or networked?
   database is compliant with. If your system or
   database is compliant with a standard not listed,                             1.   [ ] Stand-alone only (go to question 8)
   please list it in the other category. (Check all that                         2.   [ ] Networked only
   apply.)                                                                       3.   [ ] Both stand-alone and networked
                                                                                          components
                                                                                 3.   [ ] Other (please specify): _________
   1.   [   ]   Distributed Computing Environment
                                                                                           ___________________________
   2.   [   ]   Common Object Request Broker Architecture
                                                                                           ___________________________
   3.   [   ]   Distributed Component Object Model
   4.   [   ]   Java Remote Method Invocation
   5.   [   ]   Other (please specify): _____________
                                                                   7. Please complete the table below by designating with
                 _______________________________
                                                                      a check (9) the types of systems or networks your
                 _______________________________
                                                                      database and/or system is connected to and listing
                                                                      the systems:
4. For this watch list, please specify each type of
   network connectivity used by your agency: (Check              Type of Systems           Yes   No    If Yes, List System(s)
   all that apply.)                                                                        (9)   (9)
                                                                 Commercial Systems

   1.   [ ] World Wide Web
   2.   [ ] Public Switched Telephone Network                    Defense Systems
   3.   [ ] Non-Secure Internet Protocol Routing
            Network                                              Internet
   4.   [ ] Secure Internet Protocol Routing Network
   5.   [ ] Treasury Electronic Communications System            Intranet
             or other federal telecommunications
             intermediary system                                 Extranet
   6.   [ ] Virtual Private Network
   7.   [ ] Dedicated Network                                    Wireless Connection
   8.   [ ] Other (please specify): _____________
              _______________________________                    Other (please specify):
              _______________________________                    __________________________
                                                                 __________________________
5. Is the system on which your list resides built in             __________________________
   compliance with open system standards?                        __________________________
                                                                 __________________________
            1.    [ ] Yes
            2.    [ ] No
                                                                    8. What fields can you use to search for individuals?
       If yes, please specify which standard(s) you                    (Check all that apply.)
       used to develop and/or implement your
       system.                                                              1. [ ] Name fields
    _______________________________________                                 2. [ ] Biometric fields (e.g., fingerprints)
    _______________________________________                                 3. [ ] Date of birth fields
    _______________________________________                                 4. [ ] Other (please specify): ______________
    _______________________________________                                        ________________________________
    _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________
                                                                    4
                                                                      A stand-alone database/system is one that is not directly
                                                                    connected to other systems or networks.
                                                            13




                 Page 52                                                                         GAO-03-322 Terrorist Watch Lists
             Appendix IV
             GAO’s Survey Instrument




9. Does your system include a “fuzzy” search5                    12. Is your agency using document type definitions
   capability?                                                       (DTDs) or schemas8 for requesting watch list
                                                                     information from another agency?
        1.    [ ] Yes
        2.    [ ] No                                                      1.   [ ] Yes
                                                                          2.   [ ] No

The following questions address the metadata6 or                          If you answered yes, please provide a copy of
structure of your data.                                                   the DTD/schema for requesting watch list
                                                                          information.

10. For this watch list, please describe below what              13. Is your agency using DTD/schemas for responding
    type of standards, schema, or specifications your                to a watch list information request from another
    agency uses to define the format and content of                  agency?
    your watch list data elements or records.7
                                                                          1.   [ ] Yes
    _______________________________________                               2.   [ ] No
    _______________________________________
                                                                          If you answered yes, please provide a copy of
    _______________________________________
                                                                          the DTD/schema for requesting watch list
    _______________________________________                               information.
    _______________________________________
    _______________________________________
    _______________________________________                      14. Is your agency using DTDs/schema for
                                                                     automatically updating watch list information?
    _______________________________________
    _______________________________________                               1.   [ ] Yes
                                                                          2.   [ ] No

11. Has your agency created a metadata template for                       If you answered yes, please provide a copy of
    describing a terrorist?                                               the DTD/schema.

        1.   [ ] Yes                                             15. Has your agency developed and institutionalized a
        2.   [ ] No                                                  watch list data dictionary that describes the
                                                                     elements used in the DTDs/schemas?
        If you answered yes, please provide
        documents identifying the number of                               1.   [ ] Yes
        elements, name of each element, data type of                      2.   [ ] No
        each element, and meaning of each element.
                                                                          If you answered yes, please provide a copy of
                                                                          the data dictionary.

5
  A search for data that finds answers that come close
to the data being searched for. It can get results when
the exact spelling is not known or help users obtain
information that is loosely related to a topic.
6
  Metadata is definitional data that provides information
about or documentation of data managed within an
application or environment. For example, metadata
would document data about data elements or
attributes, such as the element name, size, and type.
7
  For example, state motor vehicle administrators use
                                                                 8
the American Association of Motor Vehicle                          A DTD or schema is a file that describes the structure of a
Administrators’ XML Driver History Query System                  document and defines how markup tabs should be
Specifications.                                                  interpreted.
                                                            14




             Page 53                                                                       GAO-03-322 Terrorist Watch Lists
             Appendix IV
             GAO’s Survey Instrument




16. Is your agency sharing its data dictionary with           20. Does your watch list database contain any of the
    other agencies?                                               following security controls? (Check all that
                                                                  apply.)
        1.    [ ] Yes
        2.    [ ] No
                                                                 1.   [   ]
                                                                         Segregation of Duties
                                                                 2.   [   ]
                                                                         Application Security Plan
        If you answered yes, please provide the names
                                                                 3.   [   ]
                                                                         Vulnerability Assessments or Reviews
        of the agencies you share with below.
                                                                 4.   [   ]
                                                                         Penetration Testing
                                                                 5.   [   ]
                                                                         Intrusion (Actual or attempted) Detection
    _______________________________________
                                                                          and Monitoring
    _______________________________________                      6. [ ] Maintaining audit trails of all access to and
    _______________________________________                               modification of files
    _______________________________________                      7. [ ] Investigation of suspicious access or
                                                                          modification activity
    _______________________________________
                                                                 8 [ ] Revision of access control policies and
    _______________________________________                               techniques to address violations
                                                                 9 [ ] Application Change Controls
17. Does your agency use metadata to develop and                 10. [ ] Access Identification
    maintain the watch list(s) it uses?                          11 .[ ] Access Authentication
                                                                 12. [ ] Authorization Required to Alter Lists
        1.   [ ] Yes                                             13. [ ] Audits or Inspections
        2.   [ ] No                                              14. [ ] Encryption
                                                                 15. [ ] Other: __________________________
        If you answered yes, please proceed to the                         _______________________________
        next question. If you answered no, please skip                     _______________________________
        to question 20.
                                                              21. How many times in the past 12 months has
18. Do you use an encoding scheme, such as XML, to                someone attempted to penetrate your watch list
    encode watch list data elements?                              system?
                                                                  __________
        1.   [ ] Yes
        2.   [ ] No (go to question 20)
                                                              22. How many attempts to penetrate were successful?
19. Check the box below for the encoding scheme you               _______
    use to encode watch list elements. (Check one.)

        1. [ ] XML                                            23. What controls are in place to help ensure data
        2. [ ] HTML                                               integrity?
        3. [ ] SGML
        4. [ ] Other (please specify):                            _______________________________________
        _________________________________                         _______________________________________
                                                                  _______________________________________
                                                                  _______________________________________
                                                                  _______________________________________
                                                                  _______________________________________
                                                                  _______________________________________
                                                                  _______________________________________
                                                                  _______________________________________




                                                         15




             Page 54                                                                  GAO-03-322 Terrorist Watch Lists
          Appendix IV
          GAO’s Survey Instrument




24. What controls are in place to help ensure data
    reliability?

    _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________




                                                     16




          Page 55                                         GAO-03-322 Terrorist Watch Lists
             Appendix IV
             GAO’s Survey Instrument




VI. Consolidation of Watch Lists                                 5. How well do federal agencies share watch list
Please provide the following information regarding                  information? Please tell us about your agency’s
consolidation of watch lists.                                       experiences sharing your watch list information
                                                                    with other federal agencies and/or using information
1. For the watch lists you use or are aware of, is there            provided by other federal agencies by listing the
   duplication or overlap?                                          name of the agency, the name of the watch list, and
                                                                    rating the effectiveness of these interactions by
        1.    [ ] Yes                                               placing a check (3) in the column under the
        2.    [ ] No (go to question 5)                             description that most closely matches your
                                                                    organization’s view.
2. Is it your agency’s view that these watch lists should
    be consolidated?                                                         Please fill out one of the boxes below for each
                                                                             agency and list your agency has experience
        1.    [ ] Yes (go to question 3)                                     with. Additional boxes are provided in
        2.    [ ] No (go to question 4)                                      Appendix IV. If your agency does not share
                                                                             watch list information with other federal
                                                                             agencies, please go directly to question 7.
3. Please list the watch lists that your agency thinks
   should be consolidated, indicate the benefits that
                                                                 Agency:
   would result from their consolidation by placing a            Watch List :
   check (3) in the column under the reason in the                                    Effectiveness of Interaction
   table below, and explain how these benefits would             Very           Effective      Somewhat        Very          No
   result from consolidation. (Once you have                     Effective                     Ineffective     Ineffective   Basis to
                                                                                                                             Judge
   completed this question, go to question 5.)

                            Benefits of Consolidation
Watch Lists You    Save    Save      Improve        Other
Think Can Be       Staff   Money Information
Consolidated       Time              Sharing                     Agency:
                                                                 Watch List:
                                                                                      Effectiveness of Interaction
                                                                 Very           Effective      Somewhat        Very          No
                                                                 Effective                     Ineffective     Ineffective   Basis to
                                                                                                                             Judge




                                                                 Agency:
                                                                 Watch List:
                                                                                      Effectiveness of Interaction
                                                                 Very           Effective      Somewhat        Very          No
                                                                 Effective                     Ineffective     Ineffective   Basis to
Please Explain                                                                                                               Judge




4. Please explain why your agency believes these                 Agency:
  watch lists should not be consolidated:                        Watch List:
  __________________________________________                                          Effectiveness of Interaction
  __________________________________________                     Very           Effective      Somewhat        Very          No
                                                                 Effective                     Ineffective     Ineffective   Basis to
  __________________________________________                                                                                 Judge
  __________________________________________
  __________________________________________

                                                            17




             Page 56                                                                         GAO-03-322 Terrorist Watch Lists
           Appendix IV
           GAO’s Survey Instrument




6. If your agency judged federal interagency sharing           Agency:
   of watch list information to be less than very              Watch List:
   effective, please describe the obstacle(s) that
   hamper the sharing of watch list information and the        Describe Obstacle      Describe Negative Effect on
                                                                                      Mission
   negative effect on your mission of this failure to
   effectively share, if any.

        Please fill out one of the boxes below for each
        agency your agency has experience with.
        Additional boxes are provided in Appendix
        IV.

Agency:
Watch List:

Describe Obstacle           Describe Negative Effect on        Agency:
                            Mission                            Watch List:

                                                               Describe Obstacle      Describe Negative Effect on
                                                                                      Mission




Agency:
Watch List:
                                                               Agency:
                                                               Watch List:
Describe Obstacle           Describe Negative Effect on
                            Mission
                                                               Describe Obstacle      Describe Negative Effect on
                                                                                      Mission




                                                          18




           Page 57                                                                 GAO-03-322 Terrorist Watch Lists
              Appendix IV
              GAO’s Survey Instrument




7. If your agency shares watch lists with state and/or
   local agencies, or with private sector firms, how                       Private Sector Entity:
   effectively has your agency shared this information?                    Watch List:
                                                                                               Effectiveness of Interaction
                                                                           Very           Effective     Somewhat        Very          No
            Please fill out one of the boxes below for each                Effective                    Ineffective     Ineffective   Basis to
            state and/or local agency your agency has                                                                                 Judge
            experience with. Additional boxes are
            provided in Appendix IV. If your agency
            does not share information with any such
            organizations, please go directly to question
            9.                                                             8. If you said that your agency’s sharing watch list
                                                                              information with state or local agencies, or with
State/Local Agency:                                                           private sector entities was less than very effective,
Watch List:                                                                   please describe the obstacle(s) that hamper the
                  Effectiveness of Interaction
Very           Effective     Somewhat        Very          No                 sharing of watch list information and the negative
Effective                    Ineffective     Ineffective   Basis to           effect on your mission of this less than very
                                                           Judge              effective sharing, if any.

                                                                                       Please fill out one of the boxes below for each
                                                                                       state or local agency or private sector entity
                                                                                       your organization has experience with.
State/Local Agency:                                                                    Additional boxes are provided in Appendix
Watch List:                                                                            IV.
                  Effectiveness of Interaction
Very           Effective     Somewhat        Very          No
Effective                    Ineffective     Ineffective   Basis to
                                                           Judge
                                                                             State/Local Agency:
                                                                             Watch List:

                                                                             Describe Obstacle                 Describe Negative
                                                                                                               Effect on Mission

State/Local Agency:
Watch List:
                  Effectiveness of Interaction
Very           Effective     Somewhat        Very          No
Effective                    Ineffective     Ineffective   Basis to
                                                           Judge




Private Sector Entity:
Watch List:                                                                  State/Local Agency:
                    Effectiveness of Interaction
Very           Effective     Somewhat        Very          No
                                                                             Watch List:
Effective                    Ineffective     Ineffective   Basis to
                                                           Judge             Describe Obstacle                 Describe Negative
                                                                                                               Effect on Mission




                                                                      19




              Page 58                                                                                 GAO-03-322 Terrorist Watch Lists
           Appendix IV
           GAO’s Survey Instrument




State/Local Agency:
Watch List:

Describe Obstacle        Describe Negative
                         Effect on Mission




Private Sector Entity:
Watch List:

Describe Obstacle        Describe Negative
                         Effect on Mission




Private Sector Entity:
Watch List:

Describe Obstacle        Describe Negative
                         Effect on Mission




                                             20




           Page 59                                GAO-03-322 Terrorist Watch Lists
              Appendix IV
              GAO’s Survey Instrument




9. Has your agency received information or guidance           11.      Has your agency received policies or guidance
   from the Office of Homeland Security on sharing                     from any other agency (not including the
   information from watch lists?                                       Office of Homeland Security) on sharing
                                                                       information from watch lists?
         1.    [ ] Yes
         2.    [ ] No                                                      1.   [ ] Yes
                                                                           2.   [ ] No
         If yes, please describe the guidance provided
         and what steps your organization has taken                    If yes, please describe the guidance provided
         and/or plans to take in response to this                      and what steps your organization has taken
         guidance?(After answering below, go to                        and/or plans to take in response to this
         question 11.)                                                 guidance?

      _______________________________________                       _______________________________________
      _______________________________________                       _______________________________________
      _______________________________________                       _______________________________________
      _______________________________________                       _______________________________________
      _______________________________________                       _______________________________________
      _______________________________________                       _______________________________________
      _______________________________________                       _______________________________________
      _______________________________________                       _______________________________________
      _______________________________________                       _______________________________________


10.    How beneficial would guidance from the Office
       of Homeland Security be to your organization?

         1.    [ ] Very beneficial
         2.    [ ] Somewhat beneficial
         3.    [ ] Not beneficial

         Please explain your answer below.

      _______________________________________
      _______________________________________
      _______________________________________
      _______________________________________
      _______________________________________
      _______________________________________
      _______________________________________
      _______________________________________
      _______________________________________




                                                         21




              Page 60                                                                 GAO-03-322 Terrorist Watch Lists
          Appendix IV
          GAO’s Survey Instrument




12. Please use the space provided to share any other
    thoughts you have on the use and control of federal           _______________________________________
    watch lists.                                                  _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
                                                                  _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________                    Please fax the completed survey and any additional
    _______________________________________                    documents to either of the following numbers:
    _______________________________________
    _______________________________________                    (202) 512-2502
                                                               (202) 512-2514
    _______________________________________
    _______________________________________                    or return the completed survey and any additional
    _______________________________________                    documents by Federal Express (for security
    _______________________________________                    reasons, no U.S. mail please) to the following
                                                               address:
    _______________________________________
    _______________________________________                    Gary Mountjoy
    _______________________________________                    Assistant Director
    _______________________________________                    Information Technology Team
                                                               441 G Street, NW
    _______________________________________
                                                               Room 4T21-B
    _______________________________________                    Washington, DC 20548
    _______________________________________
    _______________________________________
                                                          22




          Page 61                                                                   GAO-03-322 Terrorist Watch Lists
               Appendix IV
               GAO’s Survey Instrument




APPENDIX I                                                            4. Are the data source(s) for this list internal or
                                                                         external?
II. Watch List Development and/or
                                                                          1. [ ] Internal only
    Maintenance                                                           2. [ ] External only
                                                                          3. [ ] Both Internal and External
Please provide the requested information for
each watch list9 developed and/or maintained                          5. Describe how your agency determines the names
by your agency.                                                          that are added to this watch list, including a
                                                                         description of the criteria used to make such
Name of Watch List: ______________________                               determinations. If additional space is needed, add
_________________________________________                                pages as necessary.
Purpose of Watch List _____________________
_________________________________________                                 _______________________________________
_________________________________________                                 _______________________________________
_________________________________________                                 _______________________________________
                                                                          _______________________________________
1. Is your watch list limited to terrorists, or does it
   include information on others?                                         _______________________________________
                                                                          _______________________________________
    1. [   ]   Terrorists only                                            _______________________________________
    2. [   ]   Terrorists and others, such as criminals                   _______________________________________
    3. [   ]   Criminals only                                             _______________________________________
    4. [   ]   Other (please specify):
                ___________________________                           6. What controls are in place to help ensure that the
                ___________________________                              procedures for adding names to the watch list are
                                                                         consistently applied?
2. Is this list maintained electronically, manually (on                  _______________________________________
   paper), or by a combination of these methods?
                                                                         _______________________________________
    1. [ ] Electronically only                                           _______________________________________
    2. [ ] Manually (on paper) only                                      _______________________________________
    3. [ ] Both electronically and manually                              _______________________________________
                                                                         _______________________________________
3. How many names are on this list as of August 1,                       _______________________________________
    2002? __________ (number)                                            _______________________________________
                                                                         _______________________________________




9
  A watch list—also referred to as lookout, target, or tip-off
list—contains information on known and suspected domestic
and international terrorists and criminals and is used by
federal, state, and local agencies to identify, monitor, and
apprehend these terrorists and criminals.

                                                                 23




               Page 62                                                                        GAO-03-322 Terrorist Watch Lists
           Appendix IV
           GAO’s Survey Instrument




7. Describe how your agency determines the names
   that are removed from this watch list, including a          9. How often is this watch list updated?
   description of the criteria used to make such
   determinations. If additional space is needed, add              1. [   ]    Real-time
   pages as necessary.
                                                                   2. [   ]    Daily
     _______________________________________                       3. [   ]    Weekly
     _______________________________________                       4. [   ]    Monthly
                                                                   5. [   ]    Quarterly
     _______________________________________
                                                                   6. [   ]    Semi-annually
     _______________________________________                       7. [   ]    Annually
     _______________________________________                       8. [   ]    Other (please specify): ________________
     _______________________________________
     _______________________________________
                                                               10. For this list, what is the level of classification of
                                                                   data as specified by Executive Order 1295810?
                                                                   1. [ ] Unclassified
8.   What controls are in place to help ensure that the
                                                                   2. [ ] Confidential
     procedures for deleting names from the watch list
                                                                   3. [ ] Secret
     are consistently applied?
                                                                   4. [ ] Top Secret
     _______________________________________
                                                                   5. [ ] Other (please specify):
     _______________________________________                            _____________________________________
     _______________________________________                            _____________________________________
     _______________________________________
     _______________________________________
                                                               11. Does this watch list information allow individuals
     _______________________________________                       with false identities to be detected?
     _______________________________________
                                                                          1.    [ ] Yes
                                                                          2.    [ ] No


                                                               12. Does this watch list information allow individuals
                                                                   with false documents to be detected?


                                                                          1.    [ ] Yes
                                                                          2.    [ ] No




                                                               10
                                                                  Executive Order 12958 specifies how information
                                                               related to national defense and foreign relations is to be
                                                               maintained and protected against unauthorized
                                                               disclosure. It provides a hierarchy of three levels, with
                                                               different levels of protection depending on the
                                                               sensitivity of the information.
                                                          24




           Page 63                                                                        GAO-03-322 Terrorist Watch Lists
              Appendix IV
              GAO’s Survey Instrument




13. Please tell us whether the list includes any of the          14. Do you share all or some of the information in this
    following items by placing a check (3) in the                    list with other federal, state, or local government
    appropriate column.                                              agencies and/or others (e.g., private sector firms,
                                                                     associations, etc.)? Please check (3) yes or no for
Watch List Data Items                                                each type of organization.
Biometric Data                    Included   Not Included
                                                                                                         Yes     No
Two-print fingerprints
                                                                     Federal Agencies
Ten-print fingerprints
                                                                     State Agencies
Iris Images                                                          Local Agencies
Facial Images                                                        Private sector firms and
Hand Images                                                          associations
Photographs                                                          Other (please specify):
Other (please specify):
Biographical Data
Name
Aliases                                                                  If you answered no to all of the categories
Address                                                                  above, please explain why you do not share
Date of Birth                                                            this information with others, and then
Nationality/Citizenship                                                  proceed to Part III. If additional space is
Passport Number                                                          needed, add pages as necessary.
Name of Country Issuing
Passport/Visa                                                        _______________________________________
Other (please specify):                                              _______________________________________
Criminal Histories                                                   _______________________________________
Arrests                                                              _______________________________________
Warrants Issued                                                      _______________________________________
Other (please specify):
                                                                     _______________________________________
Immigration Record
                                                                     _______________________________________
Countries Visited
                                                                     _______________________________________
Type of Visa Granted
(e.g., student, Tourist, etc.)                                       _______________________________________
Date of arrival                                                      _______________________________________
Date of departure                                                    _______________________________________
Other (please specify):                                              _______________________________________
Travel Records                                                       _______________________________________
Dates of travel
                                                                     _______________________________________
Departure country
                                                                     _______________________________________
Destination country
                                                                     _______________________________________
Purpose of travel
Other (please specify):                                              _______________________________________
Financial Transactions
Large currency transactions
Credit card requests
Other (please specify):
Other Data Groups (please specify):
_____________________________
_____________________________
_____________________________
_____________________________

                                                            25




              Page 64                                                                   GAO-03-322 Terrorist Watch Lists
         Appendix IV
         GAO’s Survey Instrument




15. For each of the categories in question 14 that you
    answered yes to, please check all of the types of
    organizations you share data with:

   a. Federal Agencies:
       1. [ ] Law Enforcement
       2. [ ] Intelligence
       3. [ ] Other (please specify): _____________
               _______________________________
               _______________________________

   Please list the federal agencies you share data with.
   If additional space is needed, add pages as necessary.
   _______________________________________
   _______________________________________
   _______________________________________
   _______________________________________
   _______________________________________
   _______________________________________
   _______________________________________
   b. State Agencies:
       1. [ ] Law Enforcement
       2. [ ] Intelligence
       3. [ ] Other (please specify): _____________
                _______________________________
                _______________________________

   c. Local Agencies:
       1. [ ] Law Enforcement
       2. [ ] Intelligence
       3. [ ] Other (please specify): _____________
               _______________________________
              _______________________________

   d. Private sector firms and associations:
       1. [ ] Commercial Airlines
       2. [ ] Ship Lines
       3. [ ] Other (please specify): _____________
              _______________________________
              _______________________________




                                                         26




         Page 65                                              GAO-03-322 Terrorist Watch Lists
              Appendix IV
              GAO’s Survey Instrument




16. Of the data items in your watch list, which ones do you share and with which organizations? For each item, please
   circle whether or not you share the item with the type of organization specified in the categories in the table below.

Watch List Data Items

                                            Federal Law        Federal         State          Local         Private
                                            Enforcement      Intelligence     Agencies       Agencies     Sector Firms
                                             Agencies         Agencies                                         &
                                                                                                          Associations
Biometric Data                               Yes or No          Yes or No    Yes or No      Yes or No      Yes or No
Two-print fingerprints                       Y      N           Y     N       Y     N        Y     N        Y     N
Ten-print fingerprints                       Y      N           Y     N       Y     N        Y     N        Y     N
Iris Images                                  Y      N           Y     N       Y     N        Y     N        Y     N

Facial Images                                Y      N           Y     N       Y     N        Y     N        Y     N
Hand Images                                  Y      N           Y     N       Y     N        Y     N        Y     N
Photographs                                  Y      N           Y     N       Y     N        Y     N        Y     N
Biographical Data

Name                                         Y      N           Y     N       Y     N        Y     N        Y     N
Aliases                                      Y      N           Y     N       Y     N        Y     N        Y     N
Address                                      Y      N           Y     N       Y     N        Y     N        Y     N
Date of Birth                                Y     N            Y      N      Y     N        Y     N        Y     N
Nationality/Citizenship                      Y      N           Y     N       Y     N        Y     N        Y     N
Passport Number                              Y      N           Y     N       Y     N        Y     N        Y     N
Name of Country Issuing Passport/Visa        Y      N           Y     N       Y     N        Y     N        Y     N
Other (please specify):                      Y      N           Y     N       Y     N        Y     N        Y     N
Criminal Histories
Arrests                                      Y      N           Y     N       Y     N        Y     N        Y     N
Warrants Issued                              Y      N           Y     N       Y     N        Y     N        Y     N
Other (please specify):                      Y      N           Y     N       Y     N        Y     N        Y     N
Immigration Record
Countries Visited                            Y      N           Y     N       Y     N        Y     N        Y     N
Type of Visa Granted (e.g., student)         Y      N           Y     N       Y     N        Y     N        Y     N
Date of arrival                              Y      N           Y     N       Y     N        Y     N        Y     N
Date of departure                            Y      N           Y     N       Y     N        Y     N        Y     N
Other (please specify):
Travel Records
Dates of travel                              Y      N           Y     N       Y     N        Y     N        Y     N
Departure country                            Y      N           Y     N       Y     N        Y     N        Y     N
Destination country                          Y      N           Y     N       Y     N        Y     N        Y     N
Purpose of travel                            Y      N           Y     N       Y     N        Y     N        Y     N

Other (please specify):
Financial Transactions
Large currency transactions                  Y      N           Y     N       Y     N        Y     N        Y     N
Credit card requests                         Y      N           Y     N       Y     N        Y     N        Y     N
Other (please specify):
_____________________________
_____________________________
_____________________________


                                                           27




              Page 66                                                                    GAO-03-322 Terrorist Watch Lists
      Appendix IV
      GAO’s Survey Instrument




17. For each item in question 16 for which you                 _______________________________________
    answered no, please tell us the reason(s) why              _______________________________________
    data is not made available to other federal, state,
                                                               _______________________________________
    or local agencies or to private sector firms and
    associations.                                              _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    ______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________                    _______________________________________
    _______________________________________
                                                          28




      Page 67                                                               GAO-03-322 Terrorist Watch Lists
      Appendix IV
      GAO’s Survey Instrument




Appendix II                                                        3. If you share watch lists by transferring electronic
Watch List Users—Those Who Access                                     data, please place a check (3) in the appropriate
                                                                      column(s) below.
and Use Other Agencies’ Watch Lists
                                                                   Electronic Data Transfer Methods          Yes   No
Please provide the requested information for                       Tapes
each watch list11 provided by another agency.                      Disks or diskettes
If you do not receive others’ watch lists,                         Electronic files via
please go directly to part V.                                      telecommunications links (e.g.,
                                                                   e-mail)
Name of Watch List: ______________________                         FAX
_________________________________________                          File Transfer Protocol
                                                                   Telnet
Agency Providing Watch List _______________                        Web Access (Hypertext Transfer
_________________________________________                          Protocol (HTTP) or HTTP over
                                                                   Secure Socket Layer (HTTPS))
How does your agency use this watch list?                          Secure Community of Interest (such
_________________________________________                          as Intel-Link)
_________________________________________                          Other (please specify):
_________________________________________                          _____________________________
_________________________________________                          _____________________________
                                                                   _____________________________
1. Does your agency receive and use watch list                     _____________________________
   information on?                                                 _____________________________
         1.   [ ] Terrorists only
         2.   [ ] Terrorists and others, such as                   4. Does your agency have data sharing agreement(s)
                  criminals                                           with the agencies you receive this list from?
         3.   [ ] Criminals only
         4.   [ ] Other (please specify): ______                           1.     [ ] Yes
              ____________________________                                 2.     [ ] No
2. By what mechanism(s) does your agency receive
   watch list information?                                         5. Check (9) the box showing how frequently you
                                                                      receive updated watch list information:
         1. [ ] Electronically only
         2. [ ] Manually (on paper) only (go to                            1. [   ]   Real-time
                question 4)                                                2. [   ]   Daily
         3. [ ] Both electronically and manually
                                                                           3. [   ]   Weekly
                                                                           4. [   ]   Monthly
                                                                           5. [   ]   Quarterly
                                                                           6. [   ]   Semi-annually
                                                                           7. [   ]   Annually
                                                                           8. [   ]   Other (please specify):____________




11
  A watch list—also referred to as lookout, target, or tip-
off list—contains information on known and suspected
domestic and international terrorists and criminals and are
used by federal, state, and local agencies to identify,
monitor, and apprehend these terrorists and criminals.

                                                              29




      Page 68                                                                               GAO-03-322 Terrorist Watch Lists
     Appendix IV
     GAO’s Survey Instrument




6. Would receiving watch list information more               10. For this watch list, please check (9) the items
   frequently improve your agency’s ability to                   not provided and list the reason(s) the agency
   identify, monitor, and/or apprehend known and                 gave for not providing them.
   suspected terrorists and criminals?                       Watch List Data Items

                                                             Biometric Data                  Data Not   Reason Given For Not
        1.   [ ] Yes                                                                         Received   Providing
        2.   [ ] No                                          Two-print fingerprints
                                                             Ten-print fingerprints
                                                             Iris Images
                                                             Facial Images
7. Does this watch list information allow                    Hand Images
   individuals with false identities to be detected?         Photographs
                                                             Other (please specify):
        1.   [ ] Yes                                         Biographical Data
        2.   [ ] No                                          Name
                                                             Aliases
                                                             Address
8. Does this watch list information allow                    Date of Birth
   individuals with false documents to be detected?          Nationality/Citizenship
                                                             Passport Number
                                                             Name of Country Issuing
        1.   [ ] Yes                                         Passport/Visa
        2.   [ ] No                                          Other (please specify):
                                                             Criminal Histories
                                                             Arrests
 9. Does your agency receive all the data it requests        Warrants Issued
    from the agency providing this watch list?               Other (please specify):
                                                             Immigration Record
        1.   [ ] Yes                                         Countries Visited
        2.   [ ] No                                          Type of Visa Granted (e.g.,
                                                             student, tourist)
                                                             Date of arrival
        If your answer is yes, please go directly to
                                                             Date of departure
        section V. If your answer is no, please
                                                             Other (please specify):
        proceed to question 10.
                                                             Travel Records
                                                             Dates of travel
                                                             Departure country
                                                             Destination country
                                                             Purpose of travel
                                                             Other (please specify):
                                                             Financial Transactions
                                                             Large currency transactions
                                                             Credit card requests
                                                             Other (please specify):
                                                             Other (please specify):
                                                             __________________________




                                                        30




     Page 69                                                                               GAO-03-322 Terrorist Watch Lists
                  Appendix IV
                  GAO’s Survey Instrument




          APPENDIX III
                                                                            2. For this watch list, please provide in the table
          IV. Information/Data Architecture                                    below the software architecture elements (by
                                                                               product name) of the database or system the
                                                                               list resides on. In addition, where applicable,
          Please provide the requested information for                         check (9) the standard your product is
          each watch list identified in parts II and IV.                       compliant with.
          Additional pages are provided in appendix
                                                                                               Software Architecture
          III if you have more than one watch list. If               Elements
          your watch list does not reside in a                       Operating System
          computerized database or system, skip to
          part VI.                                                   Database Management
                                                                     System
          Name of Watch List: _______________________                Application Software      COTS _____
          _________________________________________                  (for COTS, provide the
                                                                     product name; for         Internally
                                                                     internally-developed,     Developed ______
          1. For this watch list, please provide in the table        give the agency name)
             below the hardware architecture elements (by            Computer
                                                                     Programming
             product name) of the database or system the list        Language
             resides on:                                             Data Access
                                                                     Middleware (please list
                                                                     product used and check    Open Database Connectivity _____
                          Hardware Architecture
                                                                     if it is compliant with   Java Database Connectivity _____
Elements                                                             the listed standards or   Other (specify):
Computer                                                             protocols)
Platform (type,
manufacturer,
                                                                     Application
and model
                                                                     Communication
number)
                                                                     Middleware (please list
Disk Space                                                           product used and check    Remote Procedure Call (RPC) model ______
(bytes)                                                              if it is compliant with   Message Passing model ______
                                                                     the listed standards or
Memory (bytes)                                                                                 Message Queuing model _______
                                                                     protocols)
                                                                                               Publish and Subscribe model ______
Application                                                                                    Other (please specify):
Architecture
(e.g., mainframe,
client-server)                                                       Other (please specify):
Other (please specify):                                              _____________________________________________
                                                                     _____________________________________________
_____________________________________________                        _____________________________________________
_____________________________________________                        _____________________________________________
_____________________________________________                        _____________________________________________
_____________________________________________                        _____________________________________________
_____________________________________________                        _____________________________________________
_____________________________________________                        _____________________________________________
_____________________________________________                        _____________________________________________
_____________________________________________                        _____________________________________________
_____________________________________________
_____________________________________________




                                                                31




                  Page 70                                                                           GAO-03-322 Terrorist Watch Lists
        Appendix IV
        GAO’s Survey Instrument




3. For this watch list, please check (9) below any of            6. Is the database or system your list resides on
   the software infrastructure standards your system                stand-alone12 or networked?
   or database is compliant with. If your system or
   database is compliant with a standard not listed,                         1.      [ ] Stand-alone only (go to question 8)
   please list it in the other category. (Check all that                     2.      [ ] Networked only
   apply.)                                                                   3.      [ ] Both stand-alone and networked
                                                                                         components
                                                                             3.      [ ] Other (please specify): _________
   1. [ ] Distributed Computing Environment
                                                                                          ___________________________
   2. [ ] Common Object Request Broker
                                                                                          ___________________________
    Architecture
   3. [ ] Distributed Component Object Model
   4. [ ] Java Remote Method Invocation
                                                                 7. Please complete the table below by designating
   5. [ ] Other (please specify): _____________
                                                                    with a check (9) the types of systems or networks
           _______________________________
                                                                    your database and/or system is connected to and
           _______________________________
                                                                    listing the systems:
4. For this watch list, please specify each type of        Type of Systems             Yes    No    If Yes, List System(s)
   network connectivity used by your agency:                                           (9)    (9)
                                                           Commercial Systems
   (Check all that apply.)

   1.   [ ] World Wide Web                                 Defense Systems
   2.   [ ] Public Switched Telephone Network
   3.   [ ] Non-Secure Internet Protocol Routing           Internet
            Network
   4.   [ ] Secure Internet Protocol Routing Network       Intranet
   5.   [ ] Treasury Electronic Communications
             System or other federal                       Extranet
             telecommunications intermediary system
   6.   [ ] Virtual Private Network                        Wireless Connection
   7.   [ ] Dedicated Network
   8.   [ ] Other (please specify): _____________          Other (please specify):
              _______________________________              __________________________
              _______________________________              __________________________
                                                           __________________________
5. Is the system on which your list resides built in       __________________________
   compliance with open system standards?                  __________________________

          1.   [ ] Yes
          2.   [ ] No                                            8. What fields can you use to search for individuals?
                                                                    (Check all that apply.)
       If yes, please specify which standard(s) you
       used to develop and/or implement your                           1. [ ] Name fields
       system.                                                         2. [ ] Biometric fields (e.g., fingerprints)
    _______________________________________
                                                                       3. [ ] Date of birth fields
    _______________________________________                            4. [ ] Other (please specify): ______________
    _______________________________________                                   ________________________________
    _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________
                                                                 12
                                                                   A stand-alone database/system is one that is not directly
                                                                 connected to other systems or networks.
                                                           32




        Page 71                                                                              GAO-03-322 Terrorist Watch Lists
      Appendix IV
      GAO’s Survey Instrument




9. Does your system include a “fuzzy” search13               12. Is your agency using document type definitions
   capability?                                                   (DTDs) or schemas16 for requesting watch list
                                                                 information from another agency?
        1.   [ ] Yes
        2.   [ ] No                                                   1.   [ ] Yes
                                                                      2.   [ ] No

The following questions address the metadata14 or                     If you answered yes, please provide a copy
structure of your data.                                               of the DTD/schema for requesting watch
                                                                      list information.
10. For this watch list, please describe below what
    type of standards, schema, or specifications             13. Is your agency using DTD/schemas for
    your agency uses to define the format and                    responding to a watch list information request
    content of your watch list data elements or                  from another agency?
    records.15
                                                                      1.   [ ] Yes
     _______________________________________                          2.   [ ] No
     _______________________________________
                                                                      If you answered yes, please provide a copy
     _______________________________________
                                                                      of the DTD/schema for requesting watch
     _______________________________________                          list information.
     _______________________________________
     _______________________________________
     _______________________________________                 14. Is your agency using DTDs/schema for
                                                                 automatically updating watch list information?
     _______________________________________
     _______________________________________                          1.   [ ] Yes
                                                                      2.   [ ] No

11. Has your agency created a metadata template                       If you answered yes, please provide a copy
    for describing a terrorist?                                       of the DTD/schema.

        1.   [ ] Yes                                         15. Has your agency developed and institutionalized
        2.   [ ] No                                              a watch list data dictionary that describes the
                                                                 elements used in the DTDs/schemas?
        If you answered yes, please provide
        documents identifying the number of                           1.   [ ] Yes
        elements, name of each element, data type                     2.   [ ] No
        of each element, and meaning of each
        element.                                                      If you answered yes, please provide a copy
                                                                      of the data dictionary.
13
   A search for data that finds answers that come
close to the data being searched for. It can get
results when the exact spelling is not known or help
users obtain information that is loosely related to a
topic.
14
   Metadata is definitional data that provides
information about or documentation of data managed
within an application or environment. For example,
metadata would document data about data elements
or attributes, such as the element name, size, and
type.
15
   For example, state motor vehicle administrators
                                                             16
use the American Association of Motor Vehicle                  A DTD or schema is a file that describes the structure of
Administrators’ XML Driver History Query System              a document and defines how markup tabs should be
Specifications.                                              interpreted.
                                                        33




      Page 72                                                                        GAO-03-322 Terrorist Watch Lists
     Appendix IV
     GAO’s Survey Instrument




16. Is your agency sharing its data dictionary with        20. Does your watch list database contain any of
    other agencies?                                            the following security controls? (Check all
                                                               that apply.)
        1.   [ ] Yes
        2.   [ ] No
                                                              1.   [   ]
                                                                      Segregation of Duties
                                                              2.   [   ]
                                                                      Application Security Plan
        If you answered yes, please provide the
                                                              3.   [   ]
                                                                      Vulnerability Assessments or Reviews
        names of the agencies you share with
                                                              4.   [   ]
                                                                      Penetration Testing
        below.
                                                              5.   [   ]
                                                                      Intrusion (Actual or attempted) Detection
                                                                       and Monitoring
    _______________________________________
                                                              6. [ ] Maintaining audit trails of all access to and
    _______________________________________                            modification of files
    _______________________________________                   7. [ ] Investigation of suspicious access or
    _______________________________________                            modification activity
                                                              8 [ ] Revision of access control policies and
    _______________________________________
                                                                       techniques to address violations
    _______________________________________                   9 [ ] Application Change Controls
                                                              10. [ ] Access Identification
17. Does your agency use metadata to develop and              11 .[ ] Access Authentication
    maintain the watch list(s) it uses?                       12. [ ] Authorization Required to Alter Lists
                                                              13. [ ] Audits or Inspections
        1.   [ ] Yes                                          14. [ ] Encryption
        2.   [ ] No                                           15. [ ] Other: __________________________
                                                                        _______________________________
        If you answered yes, please proceed to the                      _______________________________
        next question. If you answered no, please
        skip to question 20.                               21. How many times in the past 12 months has
                                                               someone attempted to penetrate your watch list
18. Do you use an encoding scheme, such as XML,                system?
    to encode watch list data elements?                        __________
        1.   [ ] Yes
        2.   [ ] No (go to question 20)                    22. How many attempts to penetrate were
                                                               successful? _______
19. Check the box below for the encoding scheme
    you use to encode watch list elements. (Check
    one.)                                                  23. What controls are in place to help ensure data
                                                               integrity?
        1. [ ] XML
        2. [ ] HTML                                            _______________________________________
        3. [ ] SGML
                                                               _______________________________________
        4. [ ] Other (please specify):
                                                               _______________________________________
        _________________________________
                                                               _______________________________________
                                                               _______________________________________
                                                               _______________________________________
                                                               _______________________________________
                                                               _______________________________________
                                                               _______________________________________




                                                      34




     Page 73                                                                     GAO-03-322 Terrorist Watch Lists
     Appendix IV
     GAO’s Survey Instrument




24. What controls are in place to help ensure data
    reliability?

    _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________
    _______________________________________




                                                     35




     Page 74                                              GAO-03-322 Terrorist Watch Lists
                    Appendix IV
                    GAO’s Survey Instrument




              APPENDIX IV                                                           2. Additional fill-in boxes for question 6.

              Consolidation of Watch Lists
                                                                                    Agency:
                                                                                    Watch List:
              1. Additional fill-in boxes for question 5.
                                                                                    Describe Obstacle          Describe Negative Effect on
  Agency:                                                                                                      Mission
  Watch List :
                           Effectiveness of Interaction
  Very           Effective          Somewhat        Very            No
  Effective                         Ineffective     Ineffective     Basis to
                                                                    Judge




  Agency:
  Watch List:
                           Effectiveness of Interaction                             Agency:
  Very           Effective          Somewhat        Very            No
  Effective                         Ineffective     Ineffective     Basis to        Watch List:
                                                                    Judge
                                                                                    Describe Obstacle          Describe Negative Effect on
                                                                                                               Mission



  Agency:
  Watch List:
                           Effectiveness of Interaction
  Very           Effective          Somewhat        Very            No
  Effective                         Ineffective     Ineffective     Basis to
                                                                    Judge




                                                                                    Agency:
                                                                                    Watch List:


Agency:                                                                             Describe Obstacle          Describe Negative Effect on
                                                                                                               Mission
Watch List:
                     Effectiveness of Interaction
Very           Effective          Somewhat        Very            No
Effective                         Ineffective     Ineffective     Basis to
                                                                  Judge




                                                                               36




                    Page 75                                                                              GAO-03-322 Terrorist Watch Lists
                  Appendix IV
                  GAO’s Survey Instrument




             3. Additional fill-in boxes for question 7.                        4. Additional fill-in boxes for question 8.

                                                                                State/Local Agency:
  State/Local Agency:
                                                                                Watch List:
  Watch List:
                    Effectiveness of Interaction
  Very            Effective     Somewhat        Very            No              Describe Obstacle          Describe Negative
  Effective                     Ineffective     Ineffective     Basis to                                   Effect on Mission
                                                                Judge




 State/Local Agency:
 Watch List:
                   Effectiveness of Interaction
 Very            Effective     Somewhat        Very            No
 Effective                     Ineffective     Ineffective     Basis to
                                                               Judge




                                                                                State/Local Agency:
State/Local Agency:                                                             Watch List:
Watch List:
                  Effectiveness of Interaction                                  Describe Obstacle          Describe Negative
Very            Effective     Somewhat        Very            No                                           Effect on Mission
Effective                     Ineffective     Ineffective     Basis to
                                                              Judge




  Private Sector Entity:
  Watch List:
                      Effectiveness of Interaction
  Very            Effective     Somewhat        Very            No
  Effective                     Ineffective     Ineffective     Basis to
                                                                Judge



                                                                                State/Local Agency:
                                                                                Watch List:

 Private Sector Entity:                                                         Describe Obstacle          Describe Negative
 Watch List:                                                                                               Effect on Mission
                     Effectiveness of Interaction
 Very            Effective     Somewhat        Very            No
 Effective                     Ineffective     Ineffective     Basis to
                                                               Judge




                                                                           37




                  Page 76                                                                             GAO-03-322 Terrorist Watch Lists
      Appendix IV
      GAO’s Survey Instrument




Private Sector Entity:
Watch List:

Describe Obstacle        Describe Negative
                         Effect on Mission




Private Sector Entity:
Watch List:

Describe Obstacle        Describe Negative
                         Effect on Mission




                                             38




      Page 77                                     GAO-03-322 Terrorist Watch Lists
Appendix V

GAO Contact and Staff Acknowledgments                                                            Append
                                                                                                      x
                                                                                                      i
                                                                                                      V




GAO Contact       Gary Mountjoy, (202) 512-6367.



Staff             In addition to the individual named above, Elizabeth Bernard, Neil Doherty,
                  Joanne Fiorino, Will Holloway, Tonia Johnson, Anh Le, Kevin Tarmann, and
Acknowledgments   Angela Watson made key contributions to this report.




(310228)          Page 78                                         GAO-03-322 Terrorist Watch Lists
GAO’s Mission            The General Accounting Office, the audit, evaluation and investigative arm of
                         Congress, exists to support Congress in meeting its constitutional responsibilities
                         and to help improve the performance and accountability of the federal government
                         for the American people. GAO examines the use of public funds; evaluates federal
                         programs and policies; and provides analyses, recommendations, and other
                         assistance to help Congress make informed oversight, policy, and funding
                         decisions. GAO’s commitment to good government is reflected in its core values of
                         accountability, integrity, and reliability.


Obtaining Copies of      The fastest and easiest way to obtain copies of GAO documents at no cost is
                         through the Internet. GAO’s Web site (www.gao.gov) contains abstracts and full-
GAO Reports and          text files of current reports and testimony and an expanding archive of older
                         products. The Web site features a search engine to help you locate documents
Testimony                using key words and phrases. You can print these documents in their entirety,
                         including charts and other graphics.
                         Each day, GAO issues a list of newly released reports, testimony, and
                         correspondence. GAO posts this list, known as “Today’s Reports,” on its Web site
                         daily. The list contains links to the full-text document files. To have GAO e-mail this
                         list to you every afternoon, go to www.gao.gov and select “Subscribe to GAO
                         Mailing Lists” under “Order GAO Products” heading.


Order by Mail or Phone   The first copy of each printed report is free. Additional copies are $2 each. A check
                         or money order should be made out to the Superintendent of Documents. GAO
                         also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single
                         address are discounted 25 percent. Orders should be sent to:
                         U.S. General Accounting Office
                         441 G Street NW, Room LM
                         Washington, D.C. 20548
                         To order by Phone:     Voice: (202) 512-6000
                                                TDD: (202) 512-2537
                                                Fax: (202) 512-6061


To Report Fraud,         Contact:
                         Web site: www.gao.gov/fraudnet/fraudnet.htm
Waste, and Abuse in      E-mail: fraudnet@gao.gov
Federal Programs         Automated answering system: (800) 424-5454 or (202) 512-7470



Public Affairs           Jeff Nelligan, Managing Director, NelliganJ@gao.gov (202) 512-4800
                         U.S. General Accounting Office, 441 G Street NW, Room 7149
                         Washington, D.C. 20548
United States                  Presorted Standard
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300
Address Service Requested