Interesting People mailing list archives
Analytic Technologies and the War on Terrorism
From: Dave Farber <dave () farber net>
Date: Wed, 14 May 2003 04:36:12 -0400
------ Forwarded Message From: Seth Grimes <grimes () altaplana com> Reply-To: Seth Grimes <grimes () altaplana com> Date: Tue, 13 May 2003 19:52:14 -0700 (PDT) To: Dave Farber <dave () farber net> Subject: Analytic Technologies and the War on Terrorism Dave, My June 17 decision-support column for Intelligent Enterprise magazine is on the lack of scientific evaluation of planned government use of analytic technologies in the war on terrorism. Perhaps it would be of interest to IP readers. I have pasted copy below and would welcome your forwarding it. (There's a formatted PDF version at http://altaplana.com/ie0610-dsup.pdf.) Thanks, Seth Intelligent Enterprise Magazine (http://intelligententerprise.com) D E C I S I O N S U P P O R T Look Before You Leap By Seth Grimes U.S. GOVERNMENT REACTIONS to post-Cold War international terrorism and to threatening autocratic regimes have been information-centric in ways that would make the CEOs of Wal-Mart and FedEx proud. The U.S. Military's reliance on information technologies is worth a column or two, but this column's subject is the ambitious use of IT in the war on terrorism. The government seeks to detect suspect activities through unprecedented electronic surveillance, monitoring, and large-scale data analysis. If successful, antiterror programs will ensure public safety by providing leads and evidence that help agents render would-be terrorists helpless to act. The projected monetary cost of these programs is huge -- proportional to the task -- and there may be significant privacy costs as well. Issues are similar to those faced by private and public organizations that must respond both to public concerns and to government legislation, such as the Privacy Act of 1974 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA): that information collection, use, and archiving should be justified and disclosed. A host of organizations from across the political spectrum are keeping tabs on these issues as they relate to the war on terrorism, answering in part the age-old question: Quis custodiet ipsos custodes? Who will watch the watchers? There's another part to the answer, however, that's less positive: I find little evidence of government, academic, or advocacy-group oversight in place or planned to evaluate whether these ambitious and highly technical government decision systems are likely to work. FOCUS OF CONCERNS I recently attended a Washington, D.C. program on data mining and privacy sponsored by the Forum on Innovation and Technology and Sen. Ron Wyden (D-Ore.). The three panelists, Richard Perle (former assistant secretary of defense), James Dempsey (executive director of the Center for Democracy and Technology), and Peter Coddington (representing data-mining vendor ClearForest Corp.), discussed whether government national-security programs that integrate and analyze government and commercial data and statistics might compromise the constitutionally derived privacy rights of American citizens. Just as industry uses data mining to detect patterns, create profiles, and score individual cases for risk assessment, fraud detection, creditworthiness, knowledge management (search), and other applications, the federal government would apply these techniques to detect suspicious activity and identify and monitor dangerous persons and organizations. Discussion at that forum was about policy, as you'd expect of a Senate meeting. That data mining, scoring, and similar techniques can and will enhance our security was, to forum panelists and attendees, implicit. It should not have been. Industry best practices say that you need to examine options and show that a particular one will work before spending dollars on implementation, especially when deployment will touch millions of lives. In the desire to be seen as doing something, the government seems to have thrown best practices that we in industry take for granted out the window. When quizzed about the apparent lack of technical evaluation, the forum panelists uniformly responded that "scientific" review is urgent, and none knew of any taking place. They agreed that the large-scale, cross-domain effectiveness of the techniques the government would apply has not been proven. I'll note that in addition, the government does not appear to have evaluated alternatives. I do not question that analytic techniques can help fighting terrorism. But in today's highly charged atmosphere, -- the U.S. is beset by partisan rivalry, the return of record budget deficits, a sluggish economy, our inability to date to bring the 9/11 terrorists to justice, and uncertainty about the limits of U.S. Middle East engagement -- I fear that we have abandoned sensible, prudent technology conventions in the name of political expediency for the sake of appearing to be doing something. While uncertainty about effectiveness and appropriateness does not justify idly doing nothing, neither is it a license for doing just anything. STUTTER STEPS Congress enacted the USA Patriot Act (USAPA) in October 2001 as an initial salvo on war on terrorism. That legislation was passed hastily -- the Electronic Frontier Foundation (EFF) says without "sufficient time to debate it or to hear testimony from experts" -- and greatly expanded the government's surveillance and data collection authority in diverse areas including electronic communications and DNA databases. Draft provisions of the follow-on Domestic Security Enhancement Act of 2003, often referred to as Patriot II, enable law enforcement personnel to collect DNA samples and monitor any individual's electronic communications for up to fifteen days without customary authorizations and oversight. An EFF analysis calls these efforts a "mindless accumulation of data" that "is not intelligence." The EFF analysis offers the opinion that "Intelligence requires focused thinking and focused questions. Instead, we're building a Tower of Babel. If this continues, we'll get the worst of both worlds -- all the disadvantages of widespread privacy invasion with none of the security benefit." Indeed, in what must be the most extensive U.S. manhunt since the decidedly low-tech but successful chase after John Wilkes Booth, the U.S. has been unable to bring to Osama bin Laden to justice. According to some reports, bin Laden employed a feint to evade pursuers, sending an aide off with his tracked cell phone while he slipped away in another direction. The government is pursuing various activities inside and outside the Patriot umbrella. The Total Information Awareness (TIA) program of the Defense Advanced Research Project Agency (DARPA) has proved particularly controversial, in part because Congress never specifically authorized TIA's activities. For that reason and because, in the words of a bill passed by the Senate, the Data-Mining Moratorium Act of 2003, "There has been no demonstration that data-mining by a government, including data -mining such as that which is to occur under the Total Information Awareness program, is an effective tool for preventing terrorism." While few senators are scientists, the Association for Computing Machinery counts among its members numerous qualified computer scientists. The ACM's Public Policy Committee, in a January letter to the Senate Armed Services Committee, expressed "significant doubts that the computer-based TIA Program will achieve its stated goal of countering terrorism through prevention." The ACM letter offered the opinion, "It is unlikely that sufficiently robust databases of the required size and complexity, whether centralized or distributed, can be constructed, financed, and effectively employed in a secure environment, even with significant research advances." It also outlined a number of potential risks including identity theft and the likelihood that even an unachievable 0.1 percent inaccuracy rate would lead to 3 million misidentifications each year. That bill wasn't enacted by the full Congress, but a weaker appropriations amendment proposed by Sen. Wyden did pass, calling on the Administration to either certify the essential nature of the program or issue a report that, among other things, "assesses the likely efficacy of systems such as the Total Information Awareness program in providing practically valuable predictive assessments of the plans, intentions, or capabilities of terrorists or terrorist groups." I queried DARPA's press office; the agency's only apparent action to date has been to create an internal oversight board and an outside advisory committee, both covering privacy and policy issues and not addressing the need for technical evaluation. Where data mining is a search and classification technology, scoring applies models created via data mining to evaluate particular situations. The Computer Assisted Passenger Prescreening System, CAPPS II, is a scoring application designed to screen air travelers that is now in trial implementation. According to the Transportation Security Administration (TSA), "CAPPS II will receive scores generated from commercial databases, which are routinely used millions of times a day by private enterprises in connection with job candidates or market research." The Washington Post reports on a March hearing where "The Office of Management and Budget raised questions as to whether the new computer program would be effective in fighting terrorism. 'I have a huge spotlight on that project,' Mark A. Forman, associate director of the budget office, told the House Committee on Government Reform's subcommittee on technology and information policy, according to the Associated Press. 'If we can't prove it lowers risk, it's not a good investment for government.'" Forman's office referred me for follow-up to the Department of Homeland Security, the TSA's parent, which did not provide any information on current or planned technical oversight. A Wired magazine article on the TSA's existing current flight-screening "watchlist" cites cases of individuals who were "inaccurately targeted by an overly simplistic system" that is resistant to correction attempts. Small wonder, when large-scale commercial databases contain a large proportion of erroneous data; I've seen estimates of error rates of up to ten percent. CAPPS-II would exploit these commercial databases, which, if it works as outlined, may lead both to a very large number of false positive results and to lapses. The government is taking other steps that will weaken the systems it is creating. For example, the Justice Department has administratively released the FBI from its statutory duty to ensure the accuracy and completeness of the National Crime Information Center (NCIC) database, which holds over 39 million criminal records. And, notably, various government actions seek to exempt reporting of firearm transactions from inclusion in terror-prevention programs. QUESTIONABLE PRACTICES My experience as a technology analyst has trained me to examine the foundations of computing-vendor claims of effectiveness, scalability, cost, and other essential performance measures. I've sat through enough sales pitches that focus on a products return on investment to have developed a deep skepticism about extravagant promises. I've never seen a promise more spectacular and less supported than the security effectiveness claims implied by the U.S. Homeland Security, Defense, and Justice departments in seeking to apply pervasively and on a huge scale data-mining, profiling, scoring, knowledge management, and other analytic technologies, assemble centralized and federated databases, and use commercial and public data sources. The promises haven't been reined in, and support in the form of scientific evaluation hasnt been forthcoming despite numerous requests by technically qualified government, advocacy, and scientific organizations. What we get instead is smoke and mirrors. Copyright 2003 Intelligent Enterprise (http://intelligententerprise.com) ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Analytic Technologies and the War on Terrorism Dave Farber (May 14)