Ever since 11 September 2001, governments, national security & law enforcement around the world have been arguing vigorously for hugely increased collection of information about citizens from disconnected sources and applying data mining to it. Enormous resources have gone into these initiatives and laws protecting citizen rights have been compromised to allow them. They have been equally vehemently opposed by civil liberties and privacy advocate interests.
The debate has been long on rhetoric and short on cold, hard analysis.
At last, the debate is beginning to change. It took a significant step forward on 7 October with the release of a report by the US National Academy of Sciences titled Protecting individual privacy in the struggle against terrorists. The report was funded in part by the US Department of Homeland Security and the US National Science Foundation. These are reputable researchers funded from reputable sources.
The report rather bluntly states that explosive increases in data mining have been a waste of time and resources. Hopefully it marks the beginning of the end of a rather frightening era of this form of data surveillance by government.
The Center for Information Policy Leadership (CIPL) summarises the report into 4 major points:
- There is little evidence that “data mining” works as a tool to detect or prevent terrorism, and lots of reason to think that it is unlikely to ever work for those purposes. There are many practical problems—bad and unstructured data loom especially large—but the major obstacle is that data mining depends on having lots of identified patterns to work with in order to make predictions. Commercial data mining, for example, for fraud prevention and marketing, depends on observing millions or tens of millions of transactions to be able to recognize statistically relevant linkages or patterns. Fortunately, we have very few patterns of terrorist behavior to work with, and terrorists (unlike most consumers) are working hard to mask their transactions, so the “promise” of data mining as a counterterrorism tool seems unlikely to be realized.
- There is similarly little evidence that behavioral or biometric monitoring works to detect or prevent terrorist acts. In fact, the committee found so little evidence of any success with behavioral or biometric monitoring that it could not reach consensus on any role that such techniques might play in counterterrorism.
- The committee expressed concern about the extent to which outdated and convoluted laws governing access to and use of personal data by the government were both undermining privacy and hampering good security. The committee, therefore, called on Congress to revise and update its data privacy laws.
- Finally, to stop the government from squandering scarce resources, unnecessarily invading privacy, and compromising national security, the committee recommended that all existing and proposed data-based programs be required by law to be analyzed for their effectiveness and consistency with U.S. laws and values. The committee proposed a framework of specific questions for doing this, and called on Congress to enact that or some similar framework into law.
Fred Cate, who served on the Committee that produced the NAS report is a good friend & great intellectual sparring partner. I don’t always agree with him (eg some of what he has had to say about data breach notification law is not the full story by any means), so it is interesting that he has come up with this position here.
More grist for the mill is set out in The quixotic quest for invulnerability: assessing the costs, benefits, and probabilities of protecting the homeland by John Mueller et al from Ohio State University, dated 10 March 2008. I am still trying to work out the extent to which the authors' tongues are in their cheeks, but that notwithstanding they make some good points. Have a read.
All that said, the debate isn't over yet, as a recent Hollowmen episode about National Security attests. If you haven’t seen it already, it is one of their better efforts. The UK is in the middle of a similar debate, for example as discussed in The all-seeing state is about to end privacy as we know it, an Opinion piece by Jenni Russell.
There is plenty of strong position taking on both sides of this debate still to come. We don't need much more of that. We do need more of the kind of analysis that this new NAS report has given us.
Malcolm Crompton is Managing Director of Information Integrity Solutions (IIS), a globally connected company that works with public sector and private sector organisations to help them build customer trust through respect for the customer and their personal information.