CEPIC is used to identify "non-obvious relationship patterns among individuals and organizations that are indicative of violations of customs and immigration laws or terrorist threats," according to DHS.

"Government data mining should have tough-minded oversight if we're going to keep Americans safe from terrorism, avoid wasting tax dollars on one boondoggle technology after another, and protect the privacy of innocent Americans," Miller said in a statement. "The intelligence community has to stop using the legitimate need for some secrecy in counter-terrorism to hide from oversight, and Congress needs to get over our 'gee-whiz' attitude when we deal with the intelligence community."

A DHS spokeswoman didn't immediately respond to a request for comments on the GAO report, but the agency agreed with the GAO recommendations in the report. DHS is committed to ensuring that the data-mining programs are "adequately reviewed, deliver required capabilities, appropriately protect individual privacy, and maintain appropriate transparency to the public," wrote Jim Crumpacker, director of the GAO liaison office at DHS.

The privacy office at DHS has begun an investigation into the ICEPIC program, Edwards and Miller said.

"It is alarming that DHS needed GAO to point out that the agency's data mining program has been violating its own privacy protocols for more than three years by sharing sensitive personal information with local, state, and federal officials," Edwards said in a statement.