WHY WE SHOULD BE CONCERNED ABOUT "TOTAL INFORMATION AWARENESS" AND OTHER ANTI-TERRORISM STRATEGIES FOR THE INTERNET

By ANITA RAMASASTRY
Tuesday, Dec. 31, 2002

During 2003, we are likely to see the development of two new government initiatives to use computer technology in terrorism prevention. Each will give the government greater access to Internet data.

One relates to a new federal network-monitoring center, described in the government's September draft of its National Strategy to Secure Cyberspace. The other is the Orwellian sounding Information Awareness Office, which will be engaged in a project aimed at "Total Information Awareness." Both are cause for concern..

It is well known that terrorists used - and, apparently, still use - the Internet because if its potential for anonymity when communicating worldwide. In addition, the government has noted terrorists' (or simply hackers') denial of service attacks as a potential threat to our national infrastructure.

The government's response to the reality that the Internet can be used to aid terrorism, is to attempt to use it in counterterrorism and terrorism prevention. The idea is to amass data and to identify patterns that will stop terrorists before they act. Though the Internet can provide weapons to our enemies, the logic goes, it can also provides tools to our government to detect and fight them.

Even without the new initiatives, some Internet counterterrorism is already occurring. FBI agents can seek court orders to view a suspect's email. And with the USA Patriot Act, Internet Service Providers are being asked, for example, to supply law enforcement with the names of their subscribers. However, the two new proposals, when fully implemented, may go significantly further.

That's troubling, for three major reasons. First, the new proposals may cause widespread invasions of privacy on the Internet.

Second, they may also allow the government to make an end run around the Fourth Amendment's protection against unreasonable searches and seizures.

Third, they may do so entirely in vain: It remains an open question whether a massive database of information on Americans can really preempt terrorist attacks, and there is good reason to think it cannot.

The National Strategy to Secure Cyberspace and Its CNOC

First, let's look at the current draft of the National Strategy to Secure Cyberspace. Authored by the President's Critical Infrastructure Protection Board. It is meant to forge public/private cooperation to protect national computer networks from everything from malicious viruses to terrorist attacks. The ultimate plan will presumably require Congressional approval.

The current draft recommends that Internet Service Providers (ISPs) and information technology security-related companies, among others, establish a Cyberspace Network Operations Center (CNOC). The Internet has thousands of ISPs - from little mom and pop independents, to large conglomerates like AOL and Microsoft. Thus, it's somewhat unclear how this would be done.

The Strategy says that the CNOC, whether physical or virtual, would "share information and ensure coordination to support the health and reliability of Internet operations in the United States." The CNOC "would not be a government entity and would be managed by the private sector, the Federal government should explore ways in which it could cooperate with the [CNOC]." (Emphasis added).

Recent news reports suggest, however, that the draft will soon be amended so that the government - not the private sector - would indeed operate the CNOC. Reports also suggest that the Administration may soon ask ISPs to provide the federal government directly with access to a wide array of data, with the purpose of preventing a terrorist cyber-attack.

The goal - monitoring networks in order to prevent future cyber attacks - seems sensible and laudable. But the problem is that a government-run CNOC may allow the government to track individual usage of the World Wide Web, with a potential cost to individual privacy.

When Does Snooping Become a Fourth-Amendment-Protected Search?

Legally, the point at which broad snooping by the government becomes an individualized search (in this case, a wiretap) to which the Fourth Amendment applies is unclear. This area of law, unfortunately, remains a gray area.

Currently, when the federal government wants to monitor email, using an Internet wiretap device known as "Carnivore," it must obtain a court order. Some commentators view the CNOC as a mega Carnivore: As a result of the CNOC, the government will have access to live feeds on a much larger scale. But this time, the government may take the position that the search is so broad, no court order is necessary.

Alternatively, if the CNOC is truly a cooperative public/private partnership, as the current National Strategy draft indicates, the government may try to take advantage of federal law allowing private monitoring of email without a court order in some situations. That is, it may ask its private cooperators to share information they have privately (and legally) monitored. (In a prior column, I described how the Ashcroft Justice Department is already using a similar strategy when it comes to surveillance).

So far, the Bush administration has tried to ease privacy concerns in this area. For instance, Richard Clarke, the President's cyberspace advisor, recently issued a letter to industry representatives ensuring them that the government would not eavesdrop on citizens.

This is somewhat comforting. But the White House's final report needs to be more explicit as to the roles of government and industry in the broad monitoring of Internet traffic. It also needs to be more explicit as to exactly what will occur with respect to such monitoring and explain how network surveillance will not run afoul of the Fourth Amendment.

Total Information Awareness: Digital Profiling?

In 2003, in addition to the National Strategy and CNOC, we will also witness the Bush Administration's "Total Information Awareness" (TIA) program. The program will be run by the Information Awareness Office - which is part of the federal Defense Advanced Research Agency (DARPA).

Retired Admiral John Poindexter, National Security Adviser for former President Ronald Reagan, returned to the Pentagon in February to run the Information Awareness Office and TIA. The initial appropriation for TIA is approximately $200 million.

As presently fashioned, TIA may be the most thorough expansion of surveillance technologies in U.S. history. As such, it presents an unprecedented threat to civil liberties and Constitutional rights.

TIA envisions the creation of a huge, centralized national database of information gathered from existing government and commercial data banks. The records compiled and consolidated will include bank records, tax returns, driver's license data, credit card purchases, airline tickets, gun purchases, work permits, and more.

What would be done with the information? The idea is that terrorists will be tracked by employing computer algorithms to detect suspicious patterns. The problem, though, is that we don't know who the terrorists may be yet.

The government's solution? Simply track everyone - to see if the patterns that allegedly identify someone as a terrorist can be found.

Yet to track everyone, information will have to be tagged to specific individuals - or, at least, specific "digital identities." Thus, while national ID card proposals have been rejected, we may have a computer-generated equivalent.

The result will be to allow the government to essentially reconstruct our movements - our travels, our transactions, and so on. This will all be done without warrants from courts. The result may be to make individual privacy obsolete.

Effectiveness, Fairness and Accuracy Problems With TIA

Because the private sector has already archived so much information on computers, the government's collection job will be made substantially easier. But now it can be put to much more nefarious uses. Inaccurate information won't send you the wrong catalog or result in annoying spam; instead, it may result in your mistaken arrest. .

That's very worrisome, because there's a great deal of inaccurate information out there. For instance, a new national study by the Consumer Federation of America has found that inaccurate and incomplete information in consumers' credit reports often forces them to pay higher mortgage rates.

And that is even in a society in which we have some chance to correct our credit reports, and other consumer information, and complain about inaccuracies. Once data enters the TIA database, how will it be updated and corrected? Will those inaccuracies ever be used against you if you apply for a government job or security clearance? All of these questions remain unanswered.

Moreover, when data is taken from private companies, will limitations be respected? Recently, consumers have relinquished data to companies because they believe it will be used in a limited fashion by a company based on its stated privacy policy. Will the government be respecting those policies too, or simply collecting data irrespective of commercial policies? It is unfair to take information surrendered with certain limitations, and then violate those limitations.

More generally, a blind reliance on computer data, rather than the powers of human investigators, may lead us astray. People fit the same pattern for many different reasons.

For example, one way airplane tickets have been identified as suspicious because terrorists used such tickets on September 11. A lot of U.S. citizens routinely use one way tickets - often multiple times within a given period.

One person may buy a one way plane ticket because he is moving to a new city and relocating. A second person may be a busy executive who travels frequently to multiple destinations, rather than on a round trip to and from the same city. A third person may be simply taking advantage of a special airfare, or be a tourist hopping from city to city. A fourth might be a college student, perhaps an Arab American, who is traveling to school and plans to buy another ticket home at the end of the school year. None of these persons are lawbreakers.

Interviews would easily distinguish the four but data patterns may not. Indeed, the data pattern may superficially identify all four as possible suspects. Meanwhile, the real terrorist won't be booking a one-way airplane ticket, knowing that it will be a giveaway. Nor will he train at U.S. flight schools. Yet any innocent person who does so may fall under suspicion.

Terrorists and other criminals often anticipate the factors that law enforcement will use to profile them and will circumvent them quickly enough. How quickly will the TIA experts be able to change their analysis to keep up with the terrorists?

TIA's Potentially Serious Fourth Amendment Cost

As I noted above, TIA also raises Fourth Amendment concerns. Indeed, it may pose a challenge to existing Fourth Amendment doctrine.

Generally, the Fourth Amendment does not prohibit the government from making use of readily available public information - from whether your car was weaving, to whether someone saw you selling drugs on the corner, to when you told Social Security you were born. But that information has never been compiled, centralized, and exhaustively analyzed in the way TIA contemplates before.

For one thing, taking on the time-consuming task of combing through paper records is very different from downloading large databases that can be sorted with one keystroke. That may sound simply like an increase in efficiency in a function the government already performs. But remember, too, the information collected together will now be used for new purposes - purposes very different from those for which it was originally collected.

Thus, you might not object to your eye test, or medical, information being used to decide whether you get a driver's license and what restrictions it might have. But you might object very much to having a government record of your medical information that can be used for any purpose that searchers chose.

When the government takes massive amounts of our personal data and compiles or stores it, is this not an unreasonable search and seizure?

TIA Lacks Security, Accountability, and Privacy Safeguards

Meanwhile, how will TIA's security be ensured? Government networks and databases and websites can be as vulnerable as commercial networks. And with all this information compiled together, the privacy consequences of security breaches will be dire indeed.

And who will oversee TIA? At present, TIA makes no reference to oversight or accountability to Congress, or any other governmental body. Congress should hold hearings on TIA before the program proceeds further.

Senators Dianne Feinstein and Daniel Inouye have called for a moratorium on TIA spending, noting that Congress has never specifically authorized TIA. That's a good idea, too. Spending shouldn't make TIA a fait accompli before Congress has a chance to fulfill its responsibility to the public to scrutinize TIA, evaluate its merits.

Moreover, if it chooses to go forward with TIA despite privacy costs, Congress needs to help construct safeguards to ensure TIA does as little damage as possible.

Congress may yet act to stop - or at least scrutinize and revise - TIA, as well as the National Security Strategy and the CNOC. And that is exactly what it should do. The war on terrorism is, of course, a serious matter and the government should have the ability to coordinate information sharing, as evidenced by provisions in the USA Patriot Act and other recent legislation. But is spying, or compiling files on, every citizen really the cost of freedom? And if we all surrender to such broad spying, how much freedom do we really have left?


Anita Ramasastry is an Assistant Professor of Law at the University of Washington School of Law in Seattle and the Associate Director of the Shidler Center for Law, Commerce & Technology.

Ads by FindLaw