Report Criticizes Technique; Scanning civilian databases hasn't worked as expected, and raises privacy concerns

By SHEILA RILEY
Investor's Business Daily
Counterterrorism remains top DOJ concern
Experts like Obama's preparedness plans

WASHINGTON — A federal program that scans civilian databases to spot potential terrorists is ineffective and threatens the privacy of millions of law-abiding Americans, says a government-commissioned report by the National Research Council.

The finding casts doubt on a technique some hail as a high-tech terrorist-hunting tool, but others criticize as too invasive and useless against terrorists.

Long used by businesses, data mining involves analyzing reams of data and making connections between disparate bits of information.

In retail, a data-mining system might surmise that a customer who has begun purchasing baby products has a new infant, and offer discounts on diapers.

In theory, government data mining would, say, find patterns of phone calls to link known terrorists to unknown sleeper agents.

But the NRC's 376-page report says data mining has yet to prove effective in real-world usage.

"We were consistently concerned that data mining does not have demonstrated efficacy for fighting terrorists," said Ben Shneiderman, a University of Maryland computer science professor and one of the 21 committee members.

The report, titled "Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment," was released last month.

The NRC is the principal agency of the National Academies of Sciences and Engineering, which advises the government on science and technology. It prepared the report at the request of the U.S. Department of Homeland Security and the National Science Foundation.

Government data-mining techniques can encompass scanning everything from phone records to Internet surfing habits to travel reservations.

"Danger Of overreaction'

"There is a danger of overreaction, which will damage enduring American values of privacy and civil justice," Shneiderman said. "We need to ensure that we strongly protect individual privacy while keeping our guard up against terrorists."

Congress should re-examine existing law to see how counterterrorism programs can protect privacy and should consider restricting the way they use personal data, the report said.

It also recommended that the programs undergo independent oversight, and that anyone harmed by privacy violations should have a way to redress such breaches.

Committee members took issue with how the government gathers data.

Some of that information comes from commercial data warehousers -- with no guarantees of accuracy, says committee member Stephen Fienberg, a professor of statistics and social science at Carnegie Mellon University in Pittsburgh.

"Nobody seems to take responsibility for that part of the concern," Fienberg said. "We deemed that to be a very substantial concern."

The DHS has purchased at least parts of databases from ChoicePoint, LexisNexis and Axiom, says Fienberg, who also works in Carnegie Mellon's CyLab, the largest university-based cybersecurity institute in the U.S.

Merging data from various databases inevitably leads to mistakes. But government counterterrorism programs don't always take into account where its information comes from or whether it might not be true.

"It's basically a problem where government programs really are not focused on the data sources and the correctness, but rather the use of the data they have at hand," Fienberg said.

The unpredictable nature of terrorist activity is another complicating factor. Data mining can work well, but only when behavior patterns stay the same.

Suppose security experts assume the next terrorist attack will resemble 9/11, Fienberg says. They could look at communications among foreigners who bought one-way, first class airplane tickets, possibly finding patterns in cell phone and e-mail records.

Then they could search databases for those same patterns -- assuming the patterns will repeat.

Just one tool

"Even if the pattern is rare, data mining can be a very effective way to locate the individuals who fit the pattern," Fienberg said. "The problem in counterterrorism is that we appear to have a constantly changing target."

Data mining is just one way the DHS goes after terrorists, according to spokeswoman Carolyn Dierker. And the agency agrees that "false positives" -- incorrectly labeling people as terrorists -- are a concern.

"We're keenly aware of false positives," Dierker said. "Data mining is simply one tool in our arsenal in tracking down bad guys. We have literally hundreds of methods."

Data mining can be used in conjunction with human analysis, she says.

The government needs to further study data mining's potential in counterterrorism, says Parney Albright, former Assistant Secretary of Homeland Security for Science and Technology at the DHS. No hard statistics exist on how well the technique works, says Albright, now managing director and vice-chairman of security consulting firm Civitas Group.

But as it stands now, neither data mining nor any other technologies are good enough to prevent terrorism without compromising privacy to a degree Americans won't accept, he says.

"None of this stuff is ready for prime time -- and may never be ready for prime time," he said.

Officials should continue to research and develop counterterrorism technologies, he contends, but with a clear eye on the consequences of mistakes.

"These systems have to be judged against what's accomplished, and the impact on the public in terms of false positives," Albright said.

Copyright 2008 Investor's Business Daily, Inc.