TIA AND MATRIX: FUNCTIONS, BENEFITS, AND BARRIERS



Similar documents
H. R SEC DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

S. ll IN THE SENATE OF THE UNITED STATES A BILL

CRS Report for Congress

Public Law th Congress An Act

Legislative Language

TITLE III INFORMATION SECURITY

Department of Defense DIRECTIVE

Privacy Impact Assessment Of the. Office of Inspector General Information Technology Infrastructure Systems

G.S. 143B A Page 1

One Hundred Twelfth Congress of the United States of America

Corporate Perspectives On Cybersecurity: A Survey Of Execs

28 USC 532. NB: This unofficial compilation of the U.S. Code is current as of Jan. 4, 2012 (see

The Department of the Treasury established the Financial Crimes

Public Law th Congress An Act

September 18, 1998 FIRST QUESTION PRESENTED ANSWER GIVEN SECOND QUESTION PRESENTED ANSWER GIVEN THIRD QUESTION PRESENTED ANSWER GIVEN DISCUSSION

GAO COMBATING TERRORISM. Observations on Options to Improve the Federal Response. Testimony

How To Protect Your Privacy From Data Mining And Aggregation

Public Law th Congress An Act

Identity Theft. The Identity Theft Conundrum

The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco.

The Comprehensive National Cybersecurity Initiative

Statement National Strategy for Trusted Identities in Cybersecurity Creating Options for Enhanced Online Security and Privacy

Federal Bureau of Investigation s Integrity and Compliance Program

DEPARTMENT OF JUSTICE WHITE PAPER. Sharing Cyberthreat Information Under 18 USC 2702(a)(3)

U.S. DoD Physical Security Market

Preservation of longstanding, roles and missions of civilian and intelligence agencies

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

NATIONAL CYBERSECURITY PROTECTION ACT OF 2014

UNCLASSIFIED JOINT UNCLASSIFIED STATEMENT OF ROBERT S. LITT GENERAL COUNSEL OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE

TITLE I GENERAL PROVISIONS

January An Overview of U.S. Security Breach Statutes

Privacy Act of 1974; Department of Homeland Security <Component Name> - <SORN. AGENCY: Department of Homeland Security, Privacy Office.

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Identity Theft Security and Compliance: Issues for Business

To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

DIVISION N CYBERSECURITY ACT OF 2015

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release June 24, 2015 EXECUTIVE ORDER HOSTAGE RECOVERY ACTIVITIES

Privacy Impact Assessment of Automated Loan Examination Review Tool

Report on Data Aggregation Kelly Heffner, Rachel Popkin, Reem Alsweilem, Anjuli Kannan

S AN ACT. To codify an existing operations center for cybersecurity.

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

ADMINISTRATIVE ASSESSMENT OF CIVIL PENALTIES AGAINST FEDERAL AGENCIES UNDER THE CLEAN AIR ACT

Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act

IN THE WAR ON TERRORISM

Committee on Civil Liberties, Justice and Home Affairs - The Secretariat - Background Note on

CYBERCRIME LAWS OF THE UNITED STATES

JOINT STATEMENT OF ELISEBETH COLLINS COOK ASSISTANT ATTORNEY GENERAL AND VALERIE CAPRONI GENERAL COUNSEL FEDERAL BUREAU OF INVESTIGATION BEFORE THE

October 27, The Honorable John Berry Director Office of Personnel Management 1900 E Street, NW Washington, DC Dear Director Berry:

GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, CEO EDS Corporation

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

COLORADO INDEPENDENT ETHICS COMMISSION S TRIAL BRIEF

Securities Whistleblower Incentives and Protection

Anti-Money Laundering and Counter- Terrorism Financial Policy

SECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.

2d Session DEPARTMENT OF HOMELAND SECURITY STRATEGY FOR INTERNATIONAL PROGRAMS ACT

Legislative Language

STATEMENT OF RONALD A. CIMINO DEPUTY ASSISTANT ATTORNEY GENERAL FOR CRIMINAL MATTERS, TAX DIVISION, U.S. DEPARTMENT OF JUSTICE BEFORE THE

CYBER-SURVEILLANCE BILL SET TO MOVE TO SENATE FLOOR

CFIUS and Network Security Agreements 1

POTOMAC INSTITUTE FOR POLICY STUDIES. Revolution in Intelligence Affairs: Transforming Intelligence for Emerging Challenges

Privacy Impact Assessment of the Supervisory Enforcement Actions and Special Examinations Tracking System

February 17, Federal Trade Commission 600 Pennsylvania Avenue, NW Washington, DC 20580

Computer Linked Application Information Management System

S 0134 SUBSTITUTE B ======== LC000486/SUB B/2 ======== S T A T E O F R H O D E I S L A N D

AT A HEARING ENTITLED THREATS TO THE HOMELAND

U.S. Department of Homeland Security STATEMENT

One Hundred Thirteenth Congress of the United States of America

S. ll. To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

Identity Theft and Tax Administration

INTERIOR FRANCHISE FUND PERMANENT AUTHORITY TO OPERATE

AIRSPACE WAIVERS AND FLIGHT AUTHORIZATIONS FOR CERTAIN AVIATION OPERATIONS (INCLUDING DCA) (Amended)

Department of Homeland Security Information Sharing Strategy

Billing Code: Guidance Concerning the National Security Review Conducted by the Committee

DEPARMTMENT OF HOMELAND SECURITY AUTHORIZATION BILL FOR FY 2008 AND FY 2009 SECTION-BY-SECTION

DIVISION N CYBERSECURITY ACT OF 2015

INFORMATION SHARING IN SUPPORT OF STRATEGIC INTELLIGENCE

PREPARED STATEMENT OF THE FEDERAL TRADE COMMISSION. Before the. OHIO PRIVACY and PUBLIC RECORDS ACCESS STUDY COMMITTEE. of the

S. ll. To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

DBIDS/IACS PRIVACY IMPACT ASSESSMENT (PIA) 2. Name of IT System: Defense Biometric Identification System (DBIDS)

Crime Pattern Analysis

SUMMARY: The Office of the Secretary of Defense proposes to. alter a system of records notice DPFPA 02, entitled Pentagon

Privacy Act of 1974; Department of Homeland Security, U.S. Customs and Border

S. 754 AN ACT. Be it enacted by the Senate and House of Representa- tives of the United States of America in Congress assembled,

Title V Preventing Fraud and Abuse. Subtitle A- Establishment of New Health and Human Services and Department of Justice Health Care Fraud Positions

THE FCA INSPECTOR GENERAL: A COMMITMENT TO PUBLIC SERVICE

How To Set Up A National Biological Laboratory Safety And Security Monitoring Program

Privacy Impact Assessment for the Volunteer/Contractor Information System

Standards for Security Categorization of Federal Information and Information Systems

Vulnerabilities in the U.S. Passport System Can Be Exploited by Criminals and Terrorists

Halloween Costume Ideas for the Wii Game

Department of Defense INSTRUCTION

(unofficial English translation)

Summary of Privacy and Data Security Bills- 112 th Congress. Prepared for September 15, 2011 CT Privacy Forum

POLICY FRAMEWORK AND STANDARDS INFORMATION SHARING BETWEEN GOVERNMENT AGENCIES

United States Visitor and Immigrant Status Indicator Technology Program (US-VISIT)

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security

How To Implement International Terrorism Agreements

Criminal Justice Sector and Rule of Law Working Group

Transcription:

TIA AND MATRIX: FUNCTIONS, BENEFITS, AND BARRIERS Joe Juidiciani Daniel Snyder BACKGROUND On September 11, 2001, our nation fell victim to the largest attack on United States soil since the birth of the Republic. The aftermath of September 11th exposed severe deficiencies in our nation s national security. Almost instinctively, attention shifted toward various branches of government as citizens sought answers and reassurance that their country would continue to be free from terrorist threats. In one response, the Department of Defense (DoD) established new programs in the Defense Advanced Research Projects Agency (DARPA). 1 The Terrorism Information Awareness Program (TIA) was one of several research and development programs in DARPA s Information Awareness Office (IAO), which was established in January 2002. In the aftermath of the September 11 terrorist attacks, DARPA formed the IAO in part to bring together, under the leadership of one technical office director, several existing DARPA programs focused on applying information technology to combat terrorist threats. TERRORISM INFORMATION AWARENESS PROGRAM (TIA) TIA is a prototype system developed to provide policy-makers and analysts with highly-sophisticated intelligence information about ter- 1

rorist threats. 2 The program was designed to increase the probability that authorized agencies within the United States could preempt terrorist attacks. 3 TIA operates through a complex computer network that allows convenient data sharing across agency boundaries. 4 Consequently, various agents of the executive branch would be entitled to both classified and unclassified information, in a more systematic fashion. 5 The TIA program would work in close collaboration with one or more United States intelligence agencies that would provide operational guidance and technology evaluation, and act as TIA system transition partners. 6 Data mining is the search for significant patterns and trends in large databases using sophisticated statistical techniques and software. The widespread use of computers, and the large amount of information maintained in databases means that there is an abundance of information useful for antiterrorism purposes. TIA and data mining programs extract and compile information into a database from a wide variety of open and closed sources. Open source materials include news wires, the web, and periodicals. Closed sources include government classified documents, flight records, money transfers, and police and prison records. Searches are conducted using Natural Language Processing (NLP), a highly sophisticated system that recognizes a user s query in its natural state and assigns a category to each word. The system is then able to evaluate the context of the query and group it accordingly. After the categorization process, analysts and technicians develop models of common behavior patterns of persons of interest. For example, analysts recognize that terrorists typically travel to the same places, obtain funding from the same sources, and receive training in certain locations. Consequently, a behavior pattern has been recognized and a model of this pattern is developed as a guideline for all future searches. The final result of a query is a complex visual presentation interpreted by analysts who predict possible outcomes and consult executive branch officials on these findings. If implemented, the incorporation of TIA into United States national security efforts would enable groups to form quickly within and across agency boundaries to bring data, expertise, and experience to deal with the problem of terrorism. 7 Moreover, TIA would enable the user to discover preparation and planning for a future terrorist attack 2 against the United States by examining transactions that are being made to aid terrorism. 8 Large quantities of open source and classified materials could be examined to discover planning and preparation of a terrorist organization. 9 Next, TIA would enable a user to discover links between people, places, and events related to suspect terrorist activities. 10 Furthermore, TIA would make information more understandable by portraying it in a visual format making it easier to analyze and detect patterns of activities. 11 Finally, TIA would give the decision-maker an understanding of past events as well as a complete understanding of the possible outcomes of the current situation. 12 With this knowledge, decision-makers would become aware of the risks associated with actionable counter-terrorism options. 13 MULTISTATE ANTI-TERRORISM INFORMATION EXCHANGE (MATRIX) MATRIX is functionally similar to TIA and other counter-terrorism initiatives started since the 2001 attacks. The MATRIX pilot project was initiated in response to the increased need for timely information sharing and exchange of terrorism-related information among members of the law enforcement community. 14 MATRIX was originally funded by Seisint Inc., a private company based in Boca Raton, Florida. 15 Seisint has since been awarded $4 million by the Office of Justice Programs, Bureau of Justice Assistance, and the United States Department of Justice. 16 There are currently seven states participating in the MATIX project. 17 Participating states include Florida, New York, Connecticut, Ohio, Michigan, and Pennsylvania. 18 Most recently, Utah withdrew from the pilot program citing privacy concerns. Governor Olene S. Walker cut ties with the program and appointed an eight-member committee to investigate and oversee the state s involvement. Republican Governor Sonny Perdue also ordered the state of Georgia to cut ties to the federally sponsored antiterrorism database citing privacy concerns. According to its sponsors, MATRIX would significantly lower the number of hours needed for investigations and would improve the chances of law enforcement to make an arrest. 19 To accomplish this, 3

MATRIX would integrate and exchange a person s criminal history, driver s license data, vehicle registration records, and corrections records. 20 Moreover; MATRIX would encourage the exchange of information via secure state websites thereby increasing the ability of the appropriate entities to acquire the crucial information to deter terrorist acts. 21 This information would be made available over a network to authorized users and would serve as a means for users to post and acquire anti-terrorism and alert information. 22 Finally, MATRIX would ensure that state and local law enforcement personnel acquire the necessary data to prevent a terrorist attack since they are the ones on the front lines. 23 DISCUSSION Despite the many benefits data-mining programs such as TIA and MATRIX offer to our country s national security effort, these programs pose several risks. Whether operated by governmental or commercial organizations, the databases present substantial security threats. The use of such databases could provide new targets for attack by malicious computer users and terrorists. 24 Moreover, the databases proposed by TIA could increase the risk of identity theft by providing a wealth of personal information to anyone accessing the database. 25 The success of electronic commerce in the United States may be threatened by TIA because of consumers lack of confidence in privacy preservation. 26 Most non-americans would oppose allowing the United States government to access private information about them. 27 As a result, the development of future e-commerce systems could exclude the United States, thus depriving American companies of significant export opportunities. 28 Additionally, the cost of identity theft is increasing and the potential for more significant theft via this database system could greatly magnify the total costs to citizens, businesses, and government. 29 Because TIA would combine some types of automated data-mining with statistical analysis, there could be a significant personal cost for many Americans. The existence of TIA could impact the behavior of both real terrorists and law-abiding citizens. 30 For example, terrorists may go to great lengths to insure that their behavior is statistically normal. 31 Consequently, ordinary citizens may avoid lawful behavior for fear of being labeled un-american or a terrorist. 32 Law-abiding American citizens may refrain from making charitable donations to Islamic foundations and organizations. Moreover, citizens may avoid travel to countries suspected of harboring terrorists. Out of grave concern for the risks posed by TIA, Congress restricted governmental funding for TIA in the Department of Defense Appropriations Act, 2004. 8120(a) of the Act states in part that: Notwithstanding any other provision of law, no funds appropriated or otherwise made available to the Department of Defense, whether to an element of the Defense Advanced Research Projects Agency or any element, or to any other department, agency, or element of the Federal Government, may be obligated or expended on research and development on the Terrorism Information Awareness program. Pub. L. 108-87, September 30, 2003, 117 Stat. 1054. The Center for Democracy and Technology (CDT) has concluded that even if TIA funding were zeroed out, the development of data mining would go on commercially or at other agencies. 33 Furthermore, CDT argued that government implementation of this uniquely intrusive technology should not go forward without explicit congressional authorization based on a finding of effectiveness, guidance for implementation, and oversight. 34 In addition to this restriction on funding, laws governing the federal government s access to information could serve as potential barriers to data-mining programs. The Privacy Act of 1974, 35 protects the privacy of individuals identified in information systems maintained by federal executive branch agencies and controls the collection, use, and sharing of information. 36 However, general exemptions in the Privacy Act allow the CIA and federal law enforcement agencies to 4 5

exempt certain systems of records from some of the Act s requirements. 37 Unless a statutory exemption applies, no federal executive branch agency may disclose any record which is contained in a system of records to any person or agency except pursuant to written request or consent of the individual to whom the record pertains. 38 These statutory exemptions could potentially authorize the disclosure of personal information, thus providing a potential loophole for data-mining programs like TIA. In addition to existing statutory barriers to TIA, there are proposed bills that could further frustrate the goals of TIA and its successors. H.R. 3 38, The Defense of Privacy Act, would require agencies to conduct privacy impact analysis for both new and existing agency rules and regulations. 39 A key element of the Defense of Privacy Act is that it would require policy makers to identify and address privacy issues at the initial stages of a new project or policy at the conceptual or design stage, before regulations are promulgated. 40 A privacy impact analysis reduces the likelihood that any given regulatory scheme will have a negative impact on privacy after it has been implemented, when it may be difficult to mitigate the impact without substantial expense, delay in the program, or litigation. 41 Because DARPA anticipated that TIA would be used for domestic law enforcement, a privacy impact assessment should have been performed. 42 In addition, DARPA should have performed a privacy impact assessment because TIA s development occurred simultaneously with the transition of TIA into the operational environment. In the future, DARPA should ensure that privacy is considered at the beginning of the development cycle and should implement controls that protect privacy during development. 43 Identify any personally identifiable information associated with business processes. Document any collection, use, disclosure, or destruction of personally identifiable information. Assess the potential privacy risks and options available for mitigating that risk. Ensure that accountability for privacy issues is incorporated into the program. Create a consistent format and structured process for analyzing both technical and legal compliance with relevant regulations. 44 Finally, the Data Mining Reporting Act of 2003 is another piece of proposed legislation that could create a potential barrier to TIA and other such programs. If enacted, this bill would provide Congress with information about the nature and capabilities of data mining technology and the data that would be used to identify potential threats to national security. 45 Moreover, the bill would require all government agencies to assess the efficacy of data mining technology and determine whether the technology can deliver on the promises of each program. 46 This would ensure that federal agencies using datamining technology have considered and developed policies to protect the privacy and due process rights of individuals and ensure that only accurate information is collected and used. 47 The Office of the Inspector General of the Department of Defense recommends that the Under Secretary of Defense for Acquisition, Technology, and Logistics USD (AT&L) in coordination with the Director, DARPA Perform a Privacy Impact Assessment before TIA type technology research continues. Specifically, the privacy impact assessment should: 6 7

ENDNOTES 1 Report to Congress regarding the Terrorism Information Awareness Program, available at http://www.epic.org/privacy/profiling/tia/may03_ report.pdf > (last visited November 7, 2003). 2 Id. 3 Department of Defense Office of the Inspector General: Information Technology Management, TIA, available at http://www.fas.org/irp/agency/ dod/igtia1203.pdf> (last visited February 6, 2004). 4 Report to Congress regarding the Terrorism Information Awareness Program, available at http://www.epic.org/privacy/profiling/tia/may03_ report.pdf> (last visited November 7, 2003). 5 Id. 6 Id. 7 Id. 8 Id. 9 Id. 10 Id. 11 Id. 12 Id. 13 Id. 14 IIR Website, available at http://www.iir.com/matrix/overview.htm> (last visited October 26, 2003). 15 Steve Gilliard, Welcome to the Matrix, available at http://www. dailykos.com/archives/003684.html> (last visited September 20, 2003). 16 IIR Website 17 Id. 18 Id. 19 Id. 20 Id. 21 Id. 22 Id. 23 Id. 24 Association for Computing Machinery Website, available at http://www.acm.org/usacm/letters/tia_final.html> (last visited October 29, 2003). 25 Id. 26 Id. 27 Id. 28 Id. 29 Id. 30 Id. 31 Id. 32 Id. 33 Statement of James X. Dempsey, Executive Director Center for Democracy and Technology, Impact of Government Regulations on Individual Privacy, July 22, 2003. 34 Id. 35 The Privacy Act of 1974, U.S.C. 552(a). 36 Report for Congress, Privacy: Total Information Awareness Programs and Related Information Access, Collection, and Protection Laws, available at http://www.fas.org/irp/crs/rl31730.pdf> (last visited November 10, 2003). 37 Id. 38 Id. 39 Statement of James X. Dempsey, Executive Director Center for Democracy and Technology, Impact of Government Regulations on Individual Privacy, July 22, 2003. 40 Id. 41 Id. 42 Department of Defense Office of the Inspector General: Information Technology Management, TIA, available at http://www.fas.org/irp/agency/ dod/igtia1203.pdf> (last visited February 6, 2004). 43 Id. 44 Id. 45 Senator Feingold, Statements on Introduced Bill and Joint Resolutions, available at http://www.fas.org/irp/congress/2003_cr/s1544.html> (last visited 11/10/03). 46 Id. 47 Id. 8 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information