TIA AND MATRIX: FUNCTIONS, BENEFITS, AND BARRIERS

Transcription

1 TIA AND MATRIX: FUNCTIONS, BENEFITS, AND BARRIERS Joe Juidiciani Daniel Snyder BACKGROUND On September 11, 2001, our nation fell victim to the largest attack on United States soil since the birth of the Republic. The aftermath of September 11th exposed severe deficiencies in our nation s national security. Almost instinctively, attention shifted toward various branches of government as citizens sought answers and reassurance that their country would continue to be free from terrorist threats. In one response, the Department of Defense (DoD) established new programs in the Defense Advanced Research Projects Agency (DARPA). 1 The Terrorism Information Awareness Program (TIA) was one of several research and development programs in DARPA s Information Awareness Office (IAO), which was established in January In the aftermath of the September 11 terrorist attacks, DARPA formed the IAO in part to bring together, under the leadership of one technical office director, several existing DARPA programs focused on applying information technology to combat terrorist threats. TERRORISM INFORMATION AWARENESS PROGRAM (TIA) TIA is a prototype system developed to provide policy-makers and analysts with highly-sophisticated intelligence information about ter- 1

2 rorist threats. 2 The program was designed to increase the probability that authorized agencies within the United States could preempt terrorist attacks. 3 TIA operates through a complex computer network that allows convenient data sharing across agency boundaries. 4 Consequently, various agents of the executive branch would be entitled to both classified and unclassified information, in a more systematic fashion. 5 The TIA program would work in close collaboration with one or more United States intelligence agencies that would provide operational guidance and technology evaluation, and act as TIA system transition partners. 6 Data mining is the search for significant patterns and trends in large databases using sophisticated statistical techniques and software. The widespread use of computers, and the large amount of information maintained in databases means that there is an abundance of information useful for antiterrorism purposes. TIA and data mining programs extract and compile information into a database from a wide variety of open and closed sources. Open source materials include news wires, the web, and periodicals. Closed sources include government classified documents, flight records, money transfers, and police and prison records. Searches are conducted using Natural Language Processing (NLP), a highly sophisticated system that recognizes a user s query in its natural state and assigns a category to each word. The system is then able to evaluate the context of the query and group it accordingly. After the categorization process, analysts and technicians develop models of common behavior patterns of persons of interest. For example, analysts recognize that terrorists typically travel to the same places, obtain funding from the same sources, and receive training in certain locations. Consequently, a behavior pattern has been recognized and a model of this pattern is developed as a guideline for all future searches. The final result of a query is a complex visual presentation interpreted by analysts who predict possible outcomes and consult executive branch officials on these findings. If implemented, the incorporation of TIA into United States national security efforts would enable groups to form quickly within and across agency boundaries to bring data, expertise, and experience to deal with the problem of terrorism. 7 Moreover, TIA would enable the user to discover preparation and planning for a future terrorist attack 2 against the United States by examining transactions that are being made to aid terrorism. 8 Large quantities of open source and classified materials could be examined to discover planning and preparation of a terrorist organization. 9 Next, TIA would enable a user to discover links between people, places, and events related to suspect terrorist activities. 10 Furthermore, TIA would make information more understandable by portraying it in a visual format making it easier to analyze and detect patterns of activities. 11 Finally, TIA would give the decision-maker an understanding of past events as well as a complete understanding of the possible outcomes of the current situation. 12 With this knowledge, decision-makers would become aware of the risks associated with actionable counter-terrorism options. 13 MULTISTATE ANTI-TERRORISM INFORMATION EXCHANGE (MATRIX) MATRIX is functionally similar to TIA and other counter-terrorism initiatives started since the 2001 attacks. The MATRIX pilot project was initiated in response to the increased need for timely information sharing and exchange of terrorism-related information among members of the law enforcement community. 14 MATRIX was originally funded by Seisint Inc., a private company based in Boca Raton, Florida. 15 Seisint has since been awarded $4 million by the Office of Justice Programs, Bureau of Justice Assistance, and the United States Department of Justice. 16 There are currently seven states participating in the MATIX project. 17 Participating states include Florida, New York, Connecticut, Ohio, Michigan, and Pennsylvania. 18 Most recently, Utah withdrew from the pilot program citing privacy concerns. Governor Olene S. Walker cut ties with the program and appointed an eight-member committee to investigate and oversee the state s involvement. Republican Governor Sonny Perdue also ordered the state of Georgia to cut ties to the federally sponsored antiterrorism database citing privacy concerns. According to its sponsors, MATRIX would significantly lower the number of hours needed for investigations and would improve the chances of law enforcement to make an arrest. 19 To accomplish this, 3

3 MATRIX would integrate and exchange a person s criminal history, driver s license data, vehicle registration records, and corrections records. 20 Moreover; MATRIX would encourage the exchange of information via secure state websites thereby increasing the ability of the appropriate entities to acquire the crucial information to deter terrorist acts. 21 This information would be made available over a network to authorized users and would serve as a means for users to post and acquire anti-terrorism and alert information. 22 Finally, MATRIX would ensure that state and local law enforcement personnel acquire the necessary data to prevent a terrorist attack since they are the ones on the front lines. 23 DISCUSSION Despite the many benefits data-mining programs such as TIA and MATRIX offer to our country s national security effort, these programs pose several risks. Whether operated by governmental or commercial organizations, the databases present substantial security threats. The use of such databases could provide new targets for attack by malicious computer users and terrorists. 24 Moreover, the databases proposed by TIA could increase the risk of identity theft by providing a wealth of personal information to anyone accessing the database. 25 The success of electronic commerce in the United States may be threatened by TIA because of consumers lack of confidence in privacy preservation. 26 Most non-americans would oppose allowing the United States government to access private information about them. 27 As a result, the development of future e-commerce systems could exclude the United States, thus depriving American companies of significant export opportunities. 28 Additionally, the cost of identity theft is increasing and the potential for more significant theft via this database system could greatly magnify the total costs to citizens, businesses, and government. 29 Because TIA would combine some types of automated data-mining with statistical analysis, there could be a significant personal cost for many Americans. The existence of TIA could impact the behavior of both real terrorists and law-abiding citizens. 30 For example, terrorists may go to great lengths to insure that their behavior is statistically normal. 31 Consequently, ordinary citizens may avoid lawful behavior for fear of being labeled un-american or a terrorist. 32 Law-abiding American citizens may refrain from making charitable donations to Islamic foundations and organizations. Moreover, citizens may avoid travel to countries suspected of harboring terrorists. Out of grave concern for the risks posed by TIA, Congress restricted governmental funding for TIA in the Department of Defense Appropriations Act, (a) of the Act states in part that: Notwithstanding any other provision of law, no funds appropriated or otherwise made available to the Department of Defense, whether to an element of the Defense Advanced Research Projects Agency or any element, or to any other department, agency, or element of the Federal Government, may be obligated or expended on research and development on the Terrorism Information Awareness program. Pub. L , September 30, 2003, 117 Stat The Center for Democracy and Technology (CDT) has concluded that even if TIA funding were zeroed out, the development of data mining would go on commercially or at other agencies. 33 Furthermore, CDT argued that government implementation of this uniquely intrusive technology should not go forward without explicit congressional authorization based on a finding of effectiveness, guidance for implementation, and oversight. 34 In addition to this restriction on funding, laws governing the federal government s access to information could serve as potential barriers to data-mining programs. The Privacy Act of 1974, 35 protects the privacy of individuals identified in information systems maintained by federal executive branch agencies and controls the collection, use, and sharing of information. 36 However, general exemptions in the Privacy Act allow the CIA and federal law enforcement agencies to 4 5

4 exempt certain systems of records from some of the Act s requirements. 37 Unless a statutory exemption applies, no federal executive branch agency may disclose any record which is contained in a system of records to any person or agency except pursuant to written request or consent of the individual to whom the record pertains. 38 These statutory exemptions could potentially authorize the disclosure of personal information, thus providing a potential loophole for data-mining programs like TIA. In addition to existing statutory barriers to TIA, there are proposed bills that could further frustrate the goals of TIA and its successors. H.R. 3 38, The Defense of Privacy Act, would require agencies to conduct privacy impact analysis for both new and existing agency rules and regulations. 39 A key element of the Defense of Privacy Act is that it would require policy makers to identify and address privacy issues at the initial stages of a new project or policy at the conceptual or design stage, before regulations are promulgated. 40 A privacy impact analysis reduces the likelihood that any given regulatory scheme will have a negative impact on privacy after it has been implemented, when it may be difficult to mitigate the impact without substantial expense, delay in the program, or litigation. 41 Because DARPA anticipated that TIA would be used for domestic law enforcement, a privacy impact assessment should have been performed. 42 In addition, DARPA should have performed a privacy impact assessment because TIA s development occurred simultaneously with the transition of TIA into the operational environment. In the future, DARPA should ensure that privacy is considered at the beginning of the development cycle and should implement controls that protect privacy during development. 43 Identify any personally identifiable information associated with business processes. Document any collection, use, disclosure, or destruction of personally identifiable information. Assess the potential privacy risks and options available for mitigating that risk. Ensure that accountability for privacy issues is incorporated into the program. Create a consistent format and structured process for analyzing both technical and legal compliance with relevant regulations. 44 Finally, the Data Mining Reporting Act of 2003 is another piece of proposed legislation that could create a potential barrier to TIA and other such programs. If enacted, this bill would provide Congress with information about the nature and capabilities of data mining technology and the data that would be used to identify potential threats to national security. 45 Moreover, the bill would require all government agencies to assess the efficacy of data mining technology and determine whether the technology can deliver on the promises of each program. 46 This would ensure that federal agencies using datamining technology have considered and developed policies to protect the privacy and due process rights of individuals and ensure that only accurate information is collected and used. 47 The Office of the Inspector General of the Department of Defense recommends that the Under Secretary of Defense for Acquisition, Technology, and Logistics USD (AT&L) in coordination with the Director, DARPA Perform a Privacy Impact Assessment before TIA type technology research continues. Specifically, the privacy impact assessment should: 6 7

5 ENDNOTES 1 Report to Congress regarding the Terrorism Information Awareness Program, available at report.pdf > (last visited November 7, 2003). 2 Id. 3 Department of Defense Office of the Inspector General: Information Technology Management, TIA, available at dod/igtia1203.pdf> (last visited February 6, 2004). 4 Report to Congress regarding the Terrorism Information Awareness Program, available at report.pdf> (last visited November 7, 2003). 5 Id. 6 Id. 7 Id. 8 Id. 9 Id. 10 Id. 11 Id. 12 Id. 13 Id. 14 IIR Website, available at (last visited October 26, 2003). 15 Steve Gilliard, Welcome to the Matrix, available at dailykos.com/archives/ html> (last visited September 20, 2003). 16 IIR Website 17 Id. 18 Id. 19 Id. 20 Id. 21 Id. 22 Id. 23 Id. 24 Association for Computing Machinery Website, available at (last visited October 29, 2003). 25 Id. 26 Id. 27 Id. 28 Id. 29 Id. 30 Id. 31 Id. 32 Id. 33 Statement of James X. Dempsey, Executive Director Center for Democracy and Technology, Impact of Government Regulations on Individual Privacy, July 22, Id. 35 The Privacy Act of 1974, U.S.C. 552(a). 36 Report for Congress, Privacy: Total Information Awareness Programs and Related Information Access, Collection, and Protection Laws, available at (last visited November 10, 2003). 37 Id. 38 Id. 39 Statement of James X. Dempsey, Executive Director Center for Democracy and Technology, Impact of Government Regulations on Individual Privacy, July 22, Id. 41 Id. 42 Department of Defense Office of the Inspector General: Information Technology Management, TIA, available at dod/igtia1203.pdf> (last visited February 6, 2004). 43 Id. 44 Id. 45 Senator Feingold, Statements on Introduced Bill and Joint Resolutions, available at (last visited 11/10/03). 46 Id. 47 Id. 8 9