FC: Replies to "What's so bad about Total Information Awareness?"

[Declan McCullagh <declan () well com>]

Other Politech messages:
http://www.politechbot.com/cgi-bin/politech.cgi?name=poindexter

---

To: declan () well com
Subject: Re: FC: What's so bad about Total Information Awareness? by Ben Brunk
From: "Thomas A Giovanetti" <tomg () ipi org>
Message-ID: <OF2821FA80.E4B93BD6-ON86256C8B.001EE99E@org>
Date: Mon, 9 Dec 2002 23:48:35 -0600

If Ben is so bright a researcher, he should know better than to make such a 
glaring error in the first sentence of his post.

TIA is NOT authorized in the Homeland bill. It was authorized as a DOD 
(Dept. of Defense) appropriation.

In fact, the Homeland bill contains an explicit provision to ban anything 
like the TIA from ever being implemented.

And that's good.

Now we need to get TIA cancelled from the DOD budget.
_______
Tom Giovanetti
President
Institute for Policy Innovation (IPI)
http://www.ipi.org

---

Date: Tue, 10 Dec 2002 16:53:01 +1100
From: Nathan Cochrane <ncochrane () theage fairfax com au>
Reply-To: ncochrane () theage fairfax com au
Organization: The Age newspaper
To: declan () well com
Subject: Re: FC: What's so bad about Total Information Awareness? by Ben Brunk

Hi Declan

Much of what Ben writes has merit. To paraphrase:

1. Private companies use different, often incompatible technologies.

2. There are usually several instances of the same person in different 
databases held in the same company.

3. There is no easy way to capture an individual's virtual identity across 
multiple databases short of mandating use of a national ID card and number 
at every transaction.

4. Lives could be ruined by poor use of information.

The drive by groups such as OASIS, Microsoft, IBM and Sun to deliver 
eXtensible Markup Language (XML)-- a single rail gauge for online 
information sharing -- makes linking systems easier. Although it will be 
several years before this really takes hold because taxonomies still have 
to be ratified, software coded, systems migrated etc. But already law 
enforcement is looking at this area closely as a way to easily find the 
people and legal documents it is looking for.

Legal XML lawful intercept technical committee announcement
http://lists.oasis-open.org/archives/tc-announce/200211/msg00007.html
"If emergency or exigent conditions exist ... judicial issuance of an 
authorizing instrument (warrant) can usually be altered by the LEA (law 
enforcement agency) using another instrument coupled with a posteriori
judicial or administrative action."

MORE:
Legally speaking, it's a brief transition
http://www.theage.com.au/articles/2002/12/09/1039379779706.html

Just because an investigator can't be 100 per cent certain a particular 
identity is the one s/he is looking for, doesn't mean they can't be more or 
less sure, at least so far as to continue an investigation. This raises a 
bigger question, how much information will be winnowed out, and what 
processes will exist to maintain privacy during this phase? By their very 
existence, these sorts of fishing expeditions are harmful to a free society.

Governments around the world already have national id card and number 
systems. In Australia it is the tax file number for individuals and BAS 
number for business. You can't transact without using these numbers, all of 
which is fed into government systems accessible by LEA here and in the US. 
In the US there is a drive to do the same thing with drivers' licenses. A 
single unique key is not necessary when you have a range of keys that can, 
in unison, provide a high level of confidence.

DARPA is moving ahead with its plans to fund TIA. A few hours ago I spoke 
with a member of the executive management team of supercomputer maker Cray 
Inc. Cray is one of five companies each receiving $US3 million to fund a 
feasibility study into developing a petaflop computer. Big applications for 
this sort of computer are to track in real time the movements of people, 
understand how biochemical agents spread in populations dutring 
bioterrorism attacks, break complex crypto and trawl through signal streams 
using semantic forests to find patterns.

Semantic forests article by Suelette Drefus
http://www.underground-book.com/articles/CyberWireDispatch-1999-11-30-Semantic-Forests.php3

And just because a failed implementation would destroy an innocent's life 
is no reason for a government not to do it. The authorities would see that 
an arrested, imprisoned or executed innocent is a small price to pay for 
continued national security and the lives of millions, or the interests of 
a select few.

---

Date: Tue, 10 Dec 2002 10:42:28 -0800 (PST)
From: Ben Polen <benpolen () yahoo com>
Subject: Re: FC: What's so bad about Total Information Awareness? by Ben Brunk
To: declan () well com

Declan,

Reading Ben's post reminded me of Terry Gilliam's movie
"Brazil." In the noir sci-fi flick, the government is
basically running its own version of TIA and a bug in the
systems (literally, a fly interferes with the operation of
a typewriter) leads to the arrest and prosecution of the
wrong man. Its quite an amazing movie overall, but the dire
warnings about a surveillance society (and a powerful state
supporting it) are even more important now, in our USA
Patriot/TIA/Homeland Security world. The director's cut of
"Brazil" is worth another viewing for all Politechnicals.
Seriously, don't even bother with the edited version.

-Ben

PS feel free to post this if you do a follow up to Brunk's

---

Date: Mon, 09 Dec 2002 21:29:50 -0800
To: declan () well com, politech () politechbot com
From: Lizard <lizard () mrlizard com>
Subject: Re: FC: What's so bad about Total Information Awareness? by
  Ben Brunk

At 08:57 PM 12/9/2002, Declan McCullagh wrote:

> ---
>
> Date: Mon, 09 Dec 2002 22:34:13 -0500
> From: Ben Brunk <brunkb () ils unc edu>
> To: declan () well com
> Subject: Debunking TIA
>
> Declan,
>
>
>
> Many of these sources of information are private databases owned and 
> maintained by the corporations that rely on them.  Even if they were all 
> implemented in say, Oracle, it would be difficult to match up records to 
> any reliable degree.  Who knows if the John Poindexter in one database is 
> the same as Jon Pointdexter in another?


Bingo.

Ever see 'Brazil'?

Tuttle, Buttle, what's the difference?

The thing is, no one is going to do a rational analysis and say "This can't 
work." If they do, they'll be ignored. Government isn't about doing things 
that work. Government is about looking like you're doing something. Simply 
honestly saying "There is nothing you can do to stop a determined madman 
from killing innocent people. Period. That's the price you pay for freedom. 
When people say that the tree of liberty must be watered in blood, they 
don't just mean the blood of those who volunteered for the job. A free 
society is one in which there is danger. Deal with it, or move to North 
Korea." will not get you re-elected. Promising false safety, out-and-out 
lying, will get you re-elected, by a wide margin.

Nothing can stop the 'Homeland Security' juggernaut, because of the nature 
of politics. We'll just have to wait for the next revolution.

---

Date: Tue, 10 Dec 2002 00:10:05 -0800 (PST)
From: Marc Hedlund
To: Declan McCullagh <declan () well com>
Subject: Re: FC: What's so bad about Total Information Awareness? by Ben
 Brunk

Declan,

The criticism I would make of Total Information Awareness (TIA) and
the Department of Homeland Security (DHS) in general is that they are
agressively centralized solutions to an agressively decentralized
problem.  I would feel better about our government's efforts to fight
terrorism if I heard much more discussion of decentralized solutions,
and an economic and organizational plan that blended centralized and
decentralized approaches to the problems of terrorism.

The vast majority of discussion around government response to 9/11 has
framed the question as, "How can we change the Federal government to
prevent terrorist attacks?"  The DHS is a Federal entity composed of
existing Federal entities.  Its efforts, and likewise the Pentagon's
TIA proposal, have (in public discussion at least) been described as
aiming to ensure information is shared between sources, analyzed at a
single desk, and acted upon by a central enforcement agency.  In other
words, these efforts aim to centralize information about potential
terrorist acts.

Certainly these are approaches worth using.  The INS sending Mohammed
Atta a letter to his Florida address months after 9/11 can only
provoke a wish for a better head on the shoulders of our national
bureaucracy.  But do we really believe that terrorists -- who
presumably have heard about the DHS -- will act in the future in any
way that would trigger DHS or TIA attention?

We know these terrorists are determined and willing to spend enormous
time and resources preparing a plan.  Terrorist groups, we're told,
plant "sleeper cells" in our country years before an intended attack,
and these cells work strenuously to avoid detection or contact with
other cells.  Assume that we go ahead with a TIA-type program, or even
just the DHS as planned, and that we are now able to monitor and
correlate border entries, large cash transfers, anomalous airline
ticket purchases, and whatever other data might alert a central
authority of terror plans.  Does this really prevent terrorism?  Do we
believe that no terrorist could ever enter the country without
creating a record, bring gold or drugs or something else to convert to
cash on the black market, buy a round-trip ticket rather than a
one-way ticket, and so forth?  It seems obvious that even if
centralized data collection, analysis, and response help the problem,
they certainly do not solve the problem.  A determined attacker -- as
the 9/11 attackers certainly were -- will do what it takes to avoid
TIA triggers.

Furthermore, is it really the best thing for the country for the FBI,
the CIA, and now the DHS to focus so intently on preventing terrorism
from Washington?  I was taken aback to read in the November 21st New
York Times that

  ...the [FBI]'s commitment to nonterrorism cases that were once
  staples of the bureau dropped significantly in the months after the
  Sept. 11 attacks. The number of agents working narcotics cases
  dropped 45 percent, bank fraud cases dropped 31 percent and bank
  robbery investigations dropped 25 percent, according to the Justice
  Department figures, even though the number of reported crimes in
  some cases went up.

I can only wonder what has happened to the CIA in parallel.  The FBI
existed for good reason prior to 9/11 -- fought serious and difficult
crimes prior to 9/11 -- and yet it is now being criticized roundly for
not dropping its earlier priorities more quickly and completely.
(Senator Charles Grassley of Iowa was quoted in the same article as
saying, "Old habits die hard at the FBI.")  We are debilitating the
prevention of crimes that not only still occur, but are increasing.
Who will take up fighting these crimes if not the FBI?  Probably state
and local law enforcement.

Let's look at that for a moment.  Prior to the Millenium celebrations,
a truck filled with bomb-making equipment was stopped at a ferry
crossing in Port Angeles, Washington, and this probably prevented a
serious attack.  While the person who stopped the truck was a Federal
employee (a Customs Inspector), the reason for the stop was not a
centralized database nor an alert from a centralized agency.  Instead,
the driver was stopped because he seemed suspicious.  An individual
acted on a hunch, investigated, and stopped an attack.  We should
learn from this, and we're not.

Rather than centralizing, another approach to fighting terrorism would
be to concentrate resources on training local law enforcement officers
how to better spot and combat terrorism; that is, how to be more like
the Port Angeles Customs Inspector.  Rather than sucking all possible
data sources into the Pentagon or the DHS, we could distribute
knowledge to the local -- far more numerous -- law enforcement
resouces who are far more likely to be able to prevent terrorism.  How
do you interview someone seeking admission to the country, or to a
sports arena?  What are the signs of lying that may be visible in
facial expressions or demeanor?  What set of purchases might signal an
attempt to build a bomb?  What are the little details a
carefully-trained eye might be able to piece into detection of a
terrorist?  This is what I mean by a decentralized approach.  Move the
effort to the more massive, more distributed, more intuitive body of
law enforcement coming into daily contact with the same terrorist
cells trying so hard to look normal.  If sleeper cells lie dormant for
years, local police will very likely encounter at least one member of
the cell in that time.  Don't we want those police officers to know
what questions to ask that might detect the cell?

We could be taking this approach, but we're not.  We could be
improving the ability of local law enforcement to detect terrorism --
but instead we're degrading that ability, since we're shifting the
FBI's traditional crime-fighting work onto local resources.  The one
method that has actually prevented a terrorist attack on US soil is
not being used, and is instead being inhibited.  We are focusing on
centralizing intelligence and resources when instead -- or at least in
addition -- we should be decomposing, distributing, decentralizing.

I'm not suggesting, obviously, that the Federal government has no
role, nor a minimal role.  Watch lists and signals intelligence and
data warehousing almost certainly are key tools for fighting
terrorism.  But before we go too far in creating (or trying to create)
a grand unified database of all electronic transactions, maybe we
should think first about whether this is a problem best solved by
brute force data analysis, or a smart cop on the street.

Marc Hedlund
e: marc at precipice dot org

---

From: "Carrick Mundell" <carrick () multispatial com>
To: <declan () well com>
Subject: RE: What's so bad about Total Information Awareness? by Ben Brunk
Date: Tue, 10 Dec 2002 08:45:10 -0800

Declan,

Ben Brunk really spells it out.  If the probability of finding a terrorist
using TIA is practically nil, then the system must be going to be used for
other purposes, namely, domestic spying.  By increasing the size of the
target (e.g. libertarians, liberals, privacy hawks, greens, pro choicers,
Democratic Party donors, persons-we-hate, and, oh yeah, terrorists) maybe
TIA will prove more useful.  What's so bad about Total Information
Awareness?  Everything.

-Carrick Mundell

---

Subject: RE: What's so bad about Total Information Awareness? by Ben Brunk
Date: Tue, 10 Dec 2002 08:59:19 -0800
From: "Ron Schweiger" <Schweig () SRCSoftware com>
To: <declan () well com>
Content-Transfer-Encoding: 8bit

Benjamin is missing one little point that TIA will be widely successful
at which is monitoring ordinary American's. With a 5% error rate they
will know exactly what 95% of every American is doing at any given time!

Ron

---

Date: Tue, 10 Dec 2002 19:09:45 -0800 (PST)
From: Sascha Goldsmith <saish () yahoo com>
Subject: Re: FC: What's so bad about Total Information Awareness? by Ben Brunk
To: "Christopher A. Petro" <petro () christopherpetro com>,
   Declan McCullagh <declan () well com>

"I am SHOCKED, shocked to find gambling in this establishment"

"Sir, your winings..."

   - Casablanca

CP!!!

I thought you were the leading "privacy/individual rights/get 'yer 
publicly-funded mitts off my data" individual I knew!!!

That having been said, I agree with a lot of what you had said, with a few 
caveats.  (God, this sounds a lot like our discussions at work, n'est-ce pas?)

First, I think you are right.  There is plenty of low-hanging fruit.  (I 
cannot help but wonder if your current vocation makes you more entreated to 
security collection than your last, but that is only a supposition).  The 
point is:  you are right.

However, as a drug-loving, freedom-loving, felony-avoiding indvidual, I 
cringe.  We have no privacy.  Live it, but don't love it.  And for God's 
sake, don't encourage it.  This leads me to my caveat.

I fully and toally, without reservation, back the establishment of a 
British-like MI5 organization in this country.  They have statutory 
limitations.  They have a charter, a mission.  And they do it well.  It 
took dozens or IRA bombings to lead to its inception, but the institution 
has adapted and learned and works.  We can leverage their decades of 
experience, and coupled with our simlilar traditions, the experiment should 
work.

Here is why:  call me a nut, call me a cashew.  But I fully believe that 
the FBI has been, is, and will always been unsuited for intelligence.  The 
duties of prosecution and espionage have significantly difference 
attributes.  Let's not dilute the FBI so it does both poorly.

With a newly funded department, focused on a singular mission, their powers 
to use the data (i.e. pool it with the DEA, IRS, FBI, etc.) will be limited 
by statue.  However, their ability to pool information on terrorists (how 
that is decided is a tricky issue, but at least you have a separation) 
should be FULLY exercised in the manner your email eloquently 
describes.  Pool databases, tap into corporate records, share information 
with the DEA, IRS, FBI, CIA, NSA, DIA and any other TLA they need to.

All I want, as a libertarian, is a "separation of powers".  In the most 
gracious nod to the founders I can muster, let's separate in a statutory, 
congressional and judicial way, the powers afforded to the aforementioned 
entities and the newly created US-MI5.  (Hell, if we could get James Bond, 
I would sleep BETTER at night!)

So, in general, I agree with you.  But with the abject failure of 
aforementioned institutions to respect their jursidictions and to hoard 
information from other agencies, not to mention the abject failure to stop 
9/11, let's start from scratch.  Let's protect ourselves with an agency 
that is ONLY dedicated to that purpose.  I'm not talking about Homeland 
Security.  I'm talking about the tech of the NSA, the guile of the CIA, the 
resources of the DIA, and a whole lot more nefarious to boot.  (Let THEM 
fear the Hellfire missiles from the Predators or the idea of being tapped, 
not me).

Getting off my soapbox,

Saish





-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
Recent CNET News.com articles: http://news.search.com/search?q=declan
-------------------------------------------------------------------------