IN THE NEWS
The story that hackers stole private information on practically every consumer in the United States has depths that the mainstream press is missing.
ChoicePoint, like Acxiom and other companies, filled a void for the US government after 9/11. Even if you didn't have the grandiose ambitions of Total Information Awareness, federal agencies like the FBI wanted some source of information they could use to build counter-terrorist "early warning systems" and track down terrorist suspects after an attack. The early warning system has two parts, the actual store of raw data about who called whom, who went where, what did they buy, etc. The second part is a massive data mining application that sifts through this mountain of information, finds the fingerprints of terrorist plots in the making, and spits out warnings to the people who need to respond at a federal, state, and local level.
The second requirement, what you might call "personal data forensics," is a lot more ad hoc process. There are still problems filtering out information you don't need, while building in search algorithms and other tools that quickly identify what you do need. If you want to find out who funded, directed, and trained the 9/11 hijackers, you'll have to sift through phone records, credit card receipts, bank transactions, and other bits of information that may or may not be relevant.
With counterterrorism suddenly escalated from obscurity to pre-eminence, where would the executive branch find both the information and the tools to make good use of it, either for early warning or forensics purposes? The answer, as is the case with many questions the Bush Administration has posed, is the private sector.
Companies like ChoicePoint had the information on all of us, and it also had some of the data mining and forensics tools. Why not let the experts in the private sector continue their good work, now as official federal contractors?
Why not? Because these companies aren't quite ready for the task at hand. The information they keep is only as good as the last person who updated it. Frequently, information about rental contracts, mailing addresses, phone numbers, bank accounts, and other details are missing, out of date, or flatly wrong. The people who input this information often even get the spelling of a person's name wrong. Not surprisingly, given how many different systems store different types of information about the same individual, there's a big movement among application vendors like SAP, PeopleSoft, and other companies to consolidate and clean up "customer information" better. In other words, there's a big problem these companies are trying to help solve, but the repairs across thousands of personal data repositories, each storing millions of records, has yet to be done.
Second, data mining is an art, not a science. There are standard ways to build these kinds of "pattern recognition systems" for large information stores. For example, experts in this field talk about "star schemas" the way auto mechanics talk about 40,000 mile standard maintenance: an industry-standard technique for addressing a common need.
The questions law enforcement poses--as well as the Constitutionally-mandated protections on privacy, illegal search and seizure, and self-incrimination--aren't standard operating procedure for people who handle data mining for credit card companies. They're like the mechanics who can do general maintenance on your car, but send it to a specialist when they discover a transmission problem.
So who are specialists, the ones who know how to take information from databases build for commercial purposes and filter, analyze, and distribute them to fit the needs of law enforcement and national security professionals? The answer is, I'm afraid, no one yet.
Sure, there are people in the NSA who know how to build systems like Carnivore, which sifts through billions of e-mails to find what may be the order to execute another 9/11-like attack. They're not experienced handling the type of databases that Acxiom, ChoicePoint, et al. maintain. On the private sector side, people within these companies have had some experience working with law enforcement (for example, building the picture of an active conspiracy needed for RICO prosecutions), but nothing on the scale of our current counterterrorism campaign. And, once again, it's important to point out that the information itself has defects. Correcting the errors is a project that's many orders of magnitude harder than building the new data mining applications the FBI, CIA, and other agencies need.
I'm trying to be careful with my words, because the problem isn't with this particular company, or that particular public official. The deeper problem is, the US government had prioritized counterterrorism far too low. As a result, people in the public and private sectors had not made more progress in adressing these challenges. That last sentence is also carefully worded, because I don't want to leave anyone with the impression that all of the problems have a solution. You can correct a lot of errors in these commercial databases, but they'll never achieve a 100% accurate depiction of reality. That means that, the more you depend on these databases over, say, face-to-face information gathering techniques, the more risk you have of arresting the wrong person, or missing the terrorist whom you wanted to catch.
I'll stick my neck out on one point: domestic terrorism. If the systems we're discussing are trustworthy, then they would have been responsible for the arrest of more domestic terrorists, like William Krar. Instead, people--the Unabomber's brother, the person who received a wrongly-delivered package in the Krar case--seem to be responsible for the arrests of domestic terrorists, not elaborate information systems. Timothy McVeigh, as a citizen of the United States, has a longer, more detailed record of personal information--everything from book purchases to truck rentals--than Mohammed Atta. Presumably, the automated alarms for all the McVeighs lurking in the cracks of American society should have already sounded, and more of these suspects should have been arrested and convicted. Unfortunately, the story hasn't turned out that way.
These information technology tools can be useful. They deserve investment and improvement. But they're far from perfect. Critics from the author of Nowhere to Hide to a former Bush Administration DOJ official worry about the government's reliance on these private sources of information. Among their other defects, as we can see today, the security walls around these databases are not impregnable.
Comments