One of the more interesting privacy developments in the current session of Congress involves a Defense Advanced Research Projects Agency project formerly known as Total Information Awareness and recently renamed Terrorism Information Awareness.
This program has received more than its share of publicity. One reason is that DARPA put John Poindexter in charge. Poindexter was national security adviser during the Reagan administration. He lost his job and was convicted of, among other things, lying to Congress over Iran-contra activities. The conviction was overturned on the grounds that the Congress had granted him immunity from prosecution.
Whatever you think of Poindexter, he was a guaranteed lightning rod for attention. Poindexter is, however, a red herring here. The story for DM News readers is data mining, privacy and terrorism.
TIA is a data mining project with an objective of collecting nearly every available scrap of personal information from public and private sources for the purpose of locating potential terrorists. The program planned to collect credit reports, bank records, airline reservation systems, criminal history records, transaction records, health data and even veterinary records.
Some problems are obvious. First, much of the data isn’t readily available. Any company that turned over its health or transaction records to the government would be overwhelmed by bad publicity. Imagine the public response if Amazon, Kaiser Permanente or Abacus gave the government access to its records.
Second, compiled personal data often isn’t very good for its original purpose, let alone an unrelated and speculative purpose. Consumer records are filled with errors, cross-links and obsolete information. For example, criminal history records are notoriously incomplete.
Third, it isn’t easy to draw inferences from compiled data. Despite all the data, computers and promises, many of you would be delighted with a 5 percent response to your carefully targeted mailings. In other words, data mining is a bit overhyped, and maybe a lot overhyped.
Fourth, the consequence of misdirected direct mail is trash. The consequences of misidentifying a potential terrorist, and nearly all mistakes will be false positives, will be major disruptions in the lives of those who are misidentified. Imagine if you are booted off an airplane because you, like a known terrorist, bought a book about skyscrapers?
How many false positives? Based on a Scientific American analysis, I calculate that even an incredibly successful (99 percent accurate) system would find more than 30,000 false positives for every terrorist identified.
So TIA has more than a few conceptual problems to overcome. In addition, it’s hard to see how its public relations could have been handled in a worse fashion, even apart from Poindexter’s role. The program adopted a pretentious motto (“Knowledge is power”) and logo (an all-seeing eye). After a few rounds of bad publicity, the program’s Web site dropped the motto, logo and many documents from public view. But it was too late as others already had copied and posted everything on the Internet, beyond DARPA’s control.
This is all background to the real story. TIA caught the eye of several senators. Sen. Russell Feingold, D-WI, introduced the first bill to stop TIA. Eventually, Sen. Ron Wyden, D-OR, added an amendment to the omnibus appropriations bill to restrict TIA, and the amendment passed the Senate without dissent.
The Defense Department tried to head off the amendment by appointing two oversight committees, including one high-level independent committee. [Personal note: My wife is related to someone on that committee, but I have never discussed TIA with that person.] DOD’s attempted save was too little and too late. Congress accepted the Senate amendment with minor changes. Deployment or implementation of the TIA data mining program on Americans now requires affirmative congressional authorization, and that won’t be easily accomplished.
After 9/11, I was constantly asked about the future of privacy. I suggested in this space and elsewhere that the public was probably more willing to see government invasions of privacy for the purpose of enhanced security and combating terrorism. However, I didn’t think that the commercial side of privacy would be changed.
The congressional response to TIA shows that concern about privacy has now overcome fears of terrorism. Not entirely, of course. But we have moved beyond the anything-goes stage, and there is more interest in limiting government and striking balances.
In some ways, the real villain is data mining itself. Listen to Feingold: “The untested and controversial intelligence procedure known as data mining is capable of maintaining extensive files containing both public and private records on each and every American.” Passage of the legislation makes it official that data mining is a dirty word, at least in the government.
Consumers also have reacted to a computer passenger screening system with data mining overtones being developed by the Transportation Security Administration. Delta Air Lines agreed to be a test site, and immediately a Web site sprang up encouraging fliers to boycott Delta. Whether the boycott will have an effect is unclear. Regardless, the TSA screening program seems to be regrouping, and TIA seems to be backpedaling rapidly as well.
How much the Washington view of data mining will spill into private-sector activities outside of terrorism remains to be seen. Regardless, take the hint from Congress and retire the data mining label. It’s time for a new buzzword.
