WEBINAR: Live Date: December 14, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Modernizing Authentication — What It Takes to Transform Secure Access REGISTER >
Congress has a special responsibility to provide technological and legal oversight of data mining programs to ensure invasive searches are focused on the most serious crimes, a George Washington University law professor told the House Subcommittee on Technology Tuesday morning.
The subcommittee is investigating the possible privacy abuse issues arising out of the government use of data mining technology, including longstanding and successful programs used to identify and eliminate fraud, waste and abuse in the government and more controversial projects such as the Pentagon's Total Information Awareness (TIA) program and the Computer Assisted Passenger Prescreening System (CAPPS II) being developed by the Transportation Security Administration (TSA).
"The TIA model may not be effective in identifying terrorists and picking them out of the crowd," Jeffrey Rosen, who is also the legal affairs editor of the New Republic, told the subcommittee, "Unlike people who commit credit card fraud -- a form of systematic, repetitive and predictable behavior that fits a consistent profile identified by millions of transactions there is no reason to believe that terrorists in the future will resemble those in the past."
Rosen pointed to the fact that there were only 11 terrorists on Sept. 11, 2001, and those that subsequently followed them weren't Saudi Arabians who went to flight school in Florida.
"By trying to identify people who look like the 9/11 hijackers, the profiling scheme is looking for a needle in the haystack, but the color and shape of the needle keep changing," Rosen said. "And because the sample of known terrorists is so small, the profiles are bound to produce a prohibitive number of 'false positives' that is passengers whom the system wrongly identifies as a likely terrorist."
Rosen added, "A profiling system that has a 50 percent accuracy rate in identifying terrorists would mean that one of every two passengers would be wrongly singled out for special searches."
According to Rosen, IT privacy and security expert Roger Clarke has called programs such as TIA and CAPPS II "mass dataveillance" -- the suspicious surveillance of large groups of people -- as opposed to "personal dataveillance," which Clarke defines as the targeted surveillance of individuals who have been identified in advance as suspicious or dangerous.
Rosen argued that the government's use of dataveillance raises Fourth Amendment issues.
"Dataveillance gives the government essentially unlimited discretion to search through masses of personal information in search of suspicious activity, without specifying in advance the people, places or things it expects to find," Rosen said. "Dataveillance allows fishing expeditions in which the government is trolling for crimes rather than criminals, violating the privacy of millions of innocent people in the hope of finding a handful of unknown and unidentified terrorists."
In February, Congress cut off funding for the controversial TIA data mining program at the Pentagon, and earlier this month an amendment passed the Senate Commerce Committee to require Congressional oversight of CAPPS II.
The TIA program aims to capture the "information signature" of people in order to track potential terrorists and has been sharply criticized by privacy and civil liberties groups. It is a project of the Pentagon's Information Awareness Office (IAO), which is under the Defense Advanced Research Projects Agency (DARPA) and is headed by former Reagan administration national security advisor John Poindexter.
The IAO's stated mission is to "imagine, develop, apply, integrate, demonstrate and transition information technologies, components and prototype, closed-loop, information systems that will counter asymmetric threats by achieving total information awareness useful for preemption; national security warning; and national security decision making."
Washington think thank Cato Institute interprets that as "a colossal effort to assemble and 'mine' massive databases of our credit card purchases, car rentals, airline tickets, official records and the like. The aim is to monitor the public's whereabouts, movements and transactions to glean suspicious patterns that indicate terrorist planning and other shenanigans."
As proposed by the TSA, CAPPS II would scan government and commercial databases for potential terrorist threats when a passenger makes flight reservations. Under the program, airline passengers will be required to provide their full name plus address, phone number and date of birth.
Once that information is entered, the airline computer reservation system will automatically link to the TSA for a computer background check on the traveler that can include a credit, banking history and criminal background check.
Despite the recent controversies, government agencies have successfully used data mining techniques for years. States work with localities by providing them access to their data sources. This has allowed local and state enforcement agencies to zero in on tax evaders, perpetrators of financial crimes or those conducting any number of fraudulent activities.
At the federal level, the Treasury Department uses the technology to identify and prosecute money laundering schemes, the IRS to track down delinquent taxpayers, and U.S. Customs to identify drug trafficking activities at U.S. borders.
Since the Sept. 11 terrorist attacks, however, the need to obtain credible information in a more efficient manner has become a much higher priority for the government. The potential issues associated with national security and law enforcement have caused governments at all levels to examine in a more focused manner all available tools that could support the efforts to provide security and protection to the country.
That, in turn, has prompted civil liberties and privacy groups to raise fundamental concerns about invasion of privacy and the potential for abuse and misuse of information. Critics also question the reliability and integrity of the results produced by data mining.