Analytic Technologies and the War on Terrorism

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Seth Grimes <grimes () altaplana com>
Reply-To: Seth Grimes <grimes () altaplana com>
Date: Tue, 13 May 2003 19:52:14 -0700 (PDT)
To: Dave Farber <dave () farber net>
Subject: Analytic Technologies and the War on Terrorism

Dave,

    My June 17 decision-support column for Intelligent Enterprise
magazine is on the lack of scientific evaluation of planned government use
of analytic technologies in the war on terrorism.  Perhaps it would be of
interest to IP readers.  I have pasted copy below and would welcome your
forwarding it.  (There's a formatted PDF version at
http://altaplana.com/ie0610-dsup.pdf.)

    Thanks,

                    Seth

Intelligent Enterprise Magazine (http://intelligententerprise.com)
D E C I S I O N  S U P P O R T
Look Before You Leap
By Seth Grimes

U.S. GOVERNMENT REACTIONS to post-Cold War international terrorism and to
threatening autocratic regimes have been information-centric in ways that
would make the CEOs of Wal-Mart and FedEx proud. The U.S. Military's
reliance on information technologies is worth a column or two, but this
column's subject is the ambitious use of IT in the war on terrorism.

The government seeks to detect suspect activities through unprecedented
electronic surveillance, monitoring, and large-scale data analysis. If
successful, antiterror programs will ensure public safety by providing
leads and evidence that help agents render would-be terrorists helpless to
act.

The projected monetary cost of these programs is huge -- proportional to
the task -- and there may be significant privacy costs as well. Issues are
similar to those faced by private and public organizations that must
respond both to public concerns and to government legislation, such as the
Privacy Act of 1974 and the Health Insurance Portability and
Accountability Act of 1996 (HIPAA): that information collection, use, and
archiving should be justified and disclosed. A host of organizations from
across the political spectrum are keeping tabs on these issues as they
relate to the war on terrorism, answering in part the age-old question:
Quis custodiet ipsos custodes? Who will watch the watchers? There's
another part to the answer, however, that's less positive: I find little
evidence of government, academic, or advocacy-group oversight in place or
planned to evaluate whether these ambitious and highly technical
government decision systems are likely to work.

FOCUS OF CONCERNS

I recently attended a Washington, D.C. program on data mining and privacy
sponsored by the Forum on Innovation and Technology and Sen. Ron Wyden
(D-Ore.). The three panelists, Richard Perle (former assistant secretary
of defense), James Dempsey (executive director of the Center for Democracy
and Technology), and Peter Coddington (representing data-mining vendor
ClearForest Corp.), discussed whether government national-security
programs that integrate and analyze government and commercial data and
statistics might compromise the constitutionally derived privacy rights of
American citizens. Just as industry uses data mining to detect patterns,
create profiles, and score individual cases for risk assessment, fraud
detection, creditworthiness, knowledge management (search), and other
applications, the federal government would apply these techniques to
detect suspicious activity and identify and monitor dangerous persons and
organizations.

Discussion at that forum was about policy, as you'd expect of a Senate
meeting. That data mining, scoring, and similar techniques can and will
enhance our security was, to forum panelists and attendees, implicit. It
should not have been. Industry best practices say that you need to examine
options and show that a particular one will work before spending dollars
on implementation, especially when deployment will touch millions of
lives. In the desire to be seen as doing something, the government seems
to have thrown best practices that we in industry take for granted out the
window.

When quizzed about the apparent lack of technical evaluation, the forum
panelists uniformly responded that "scientific" review is urgent, and none
knew of any taking place. They agreed that the large-scale, cross-domain
effectiveness of the techniques the government would apply has not been
proven. I'll note that in addition, the government does not appear to have
evaluated alternatives.

I do not question that analytic techniques can help fighting terrorism.
But in today's highly charged atmosphere, -- the U.S. is beset by partisan
rivalry, the return of record budget deficits, a sluggish economy, our
inability to date to bring the 9/11 terrorists to justice, and uncertainty
about the limits of U.S. Middle East engagement -- I fear that we have
abandoned sensible, prudent technology conventions in the name of
political expediency for the sake of appearing to be doing something.

While uncertainty about effectiveness and appropriateness does not justify
idly doing nothing, neither is it a license for doing just anything.

STUTTER STEPS

Congress enacted the USA Patriot Act (USAPA) in October 2001 as an initial
salvo on war on terrorism. That legislation was passed hastily -- the
Electronic Frontier Foundation (EFF) says without "sufficient time to
debate it or to hear testimony from experts" -- and greatly expanded the
government's surveillance and data collection authority in diverse areas
including electronic communications and DNA databases. Draft provisions of
the follow-on Domestic Security Enhancement Act of 2003, often referred to
as Patriot II, enable law enforcement personnel to collect DNA samples and
monitor any individual's electronic communications for up to fifteen days
without customary authorizations and oversight.  An EFF analysis calls
these efforts a "mindless accumulation of data" that "is not
intelligence." The EFF analysis offers the opinion that "Intelligence
requires focused thinking and focused questions. Instead, we're building a
Tower of Babel. If this continues, we'll get the worst of both worlds --
all the disadvantages of widespread privacy invasion with none of the
security benefit."

Indeed, in what must be the most extensive U.S. manhunt since the
decidedly low-tech but successful chase after John Wilkes Booth, the U.S.
has been unable to bring to Osama bin Laden to justice.  According to some
reports, bin Laden employed a feint to evade pursuers, sending an aide off
with his tracked cell phone while he slipped away in another direction.

The government is pursuing various activities inside and outside the
Patriot umbrella. The Total Information Awareness (TIA) program of the
Defense Advanced Research Project Agency (DARPA) has proved particularly
controversial, in part because Congress never specifically authorized
TIA's activities. For that reason and because, in the words of a bill
passed by the Senate, the Data-Mining Moratorium Act of 2003, "There has
been no demonstration that data-mining by a government, including data
-mining such as that which is to occur under the Total Information
Awareness program, is an effective tool for preventing terrorism."

While few senators are scientists, the Association for Computing Machinery
counts among its members numerous qualified computer scientists. The ACM's
Public Policy Committee, in a January letter to the Senate Armed Services
Committee, expressed "significant doubts that the computer-based TIA
Program will achieve its stated goal of countering terrorism through
prevention." The ACM letter offered the opinion, "It is unlikely that
sufficiently robust databases of the required size and complexity, whether
centralized or distributed, can be constructed, financed, and effectively
employed in a secure environment, even with significant research
advances." It also outlined a number of potential risks including identity
theft and the likelihood that even an unachievable 0.1 percent inaccuracy
rate would lead to 3 million misidentifications each year.

That bill wasn't enacted by the full Congress, but a weaker appropriations
amendment proposed by Sen. Wyden did pass, calling on the Administration
to either certify the essential nature of the program or issue a report
that, among other things, "assesses the likely efficacy of systems such as
the Total Information Awareness program in providing practically valuable
predictive assessments of the plans, intentions, or capabilities of
terrorists or terrorist groups." I queried DARPA's press office; the
agency's only apparent action to date has been to create an internal
oversight board and an outside advisory committee, both covering privacy
and policy issues and not addressing the need for technical evaluation.

Where data mining is a search and classification technology, scoring
applies models created via data mining to evaluate particular situations.
The Computer Assisted Passenger Prescreening System, CAPPS II, is a
scoring application designed to screen air travelers that is now in trial
implementation. According to the Transportation Security Administration
(TSA), "CAPPS II will receive scores generated from commercial databases,
which are routinely used millions of times a day by private enterprises in
connection with job candidates or market research."  The Washington Post
reports on a March hearing where "The Office of Management and Budget
raised questions as to whether the new computer program would be effective
in fighting terrorism.  'I have a huge spotlight on that project,' Mark A.
Forman, associate director of the budget office, told the House Committee
on Government Reform's subcommittee on technology and information policy,
according to the Associated Press. 'If we can't prove it lowers risk, it's
not a good investment for government.'"  Forman's office referred me for
follow-up to the Department of Homeland Security, the TSA's parent, which
did not provide any information on current or planned technical oversight.

A Wired magazine article on the TSA's existing current flight-screening
"watchlist" cites cases of individuals who were "inaccurately targeted by
an overly simplistic system" that is resistant to correction attempts.
Small wonder, when large-scale commercial databases contain a large
proportion of erroneous data; I've seen estimates of error rates of up to
ten percent. CAPPS-II would exploit these commercial databases, which, if
it works as outlined, may lead both to a very large number of false
positive results and to lapses.

The government is taking other steps that will weaken the systems it is
creating. For example, the Justice Department has administratively
released the FBI from its statutory duty to ensure the accuracy and
completeness of the National Crime Information Center (NCIC) database,
which holds over 39 million criminal records. And, notably, various
government actions seek to exempt reporting of firearm transactions from
inclusion in terror-prevention programs.

QUESTIONABLE PRACTICES

My experience as a technology analyst has trained me to examine the
foundations of computing-vendor claims of effectiveness, scalability,
cost, and other essential performance measures. I've sat through enough
sales pitches that focus on a products return on investment to have
developed a deep skepticism about extravagant promises.

I've never seen a promise more spectacular and less supported than the
security effectiveness claims implied by the U.S. Homeland Security,
Defense, and Justice departments in seeking to apply pervasively and on a
huge scale data-mining, profiling, scoring, knowledge management, and
other analytic technologies, assemble centralized and federated databases,
and use commercial and public data sources. The promises haven't been
reined in, and support in the form of scientific evaluation hasnt been
forthcoming despite numerous requests by technically qualified government,
advocacy, and scientific organizations. What we get instead is smoke and
mirrors.


Copyright 2003 Intelligent Enterprise (http://intelligententerprise.com)



------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/