A Good Start for the 110th
January 10, 2007
The Senate Judiciary Committee used its first hearing of the new Congress to examine the privacy and national security issues associated with government data mining programs. Our Executive Director, Leslie Harris, testified. I watched online. Like any Congressional hearing, things wandered a bit (I learned that former Rep. Bob Barr is in the Borat movie), but it is clear that some Senators are seriously trying to find ways to advance national security without sacrificing privacy, due process, and accountability. The hearing also demonstrated that getting there won't be easy. All the witnesses agreed that "data mining" is hard to define. CDT believes that a good enough definition -- at least for policymaking purposes -- would focus on predictive or pattern-based scans of large sets of data, where the goal is to assign risk scores or find individuals whose behavior matches some pattern believed to be associated with terrorist or criminal behavior. This definition would exclude one-to-one searches, such as comparing air passenger lists against watch-lists of suspected terrorists, which pose a different set of problems. It would exclude link analysis, where the government starts with some known or suspected terrorist and tries to draw a picture of the enterprise of which he may be a part, a technique that seems quite close to traditional law enforcement and intelligence. It would include the Automated Targeting System, which the government recently admitted it is using to assign a risk assessment to all travelers entering or leaving the US, including citizens. (Last month, CDT joined other privacy groups in comments examining the problems associated with the secret re-direction of ATS against individuals). Today's witnesses generally agreed that the Executive Branch should be more transparent -- at least with Congress -- about what data mining programs the government is running. Senators Feingold (D-WI), Sununu (R-NH) and others introduced today a bill that would require the Executive Branch to report to Congress on its use of predictive or pattern-based data mining. It would seem indisputable that such a law would be an appropriate first step, at the very least from a good government standpoint: how are the intelligence and homeland security agencies spending their money? There was also general agreement that efficacy is the threshold question in any information program (especially ones involving personally identifiable data and the risks of error adversely affecting individuals). CDT's position is that pattern-based data mining might work, but we just haven't seen the evidence. And it was clear that members of the Committee haven't seen it either. Former chairman Arlen Specter (R-PA) warned the new Democratic majority not to expect too much: in his years as chairman, Specter labored mightily to conduct oversight, and spoke today of his frustration with not getting very much from the Executive Branch. That would argue for a position CDT took this morning: Congress should use the power of the purse to prohibit the use of unauthorized data mining (as defined above). If the Executive Branch thinks it has an effective program, it should come forward and tell Congress, explain the program and get the money for it. Congress has already put that limit on implementation of the risk assessment program "Secure Flight." CDT urged Congress today to do the same across the board. Senator Specter raised an interesting question: If efficacy is a threshold question, how do you define it? In CDT's view, the standard is not perfection. Rather the standard is: does the program materially assist in the pursuit of a mission (keeping terrorists off airplanes, keeping terrorists from entering the country), without high levels of collateral damage to civil liberties, to the extent that in a world of limited resources, the program deserves to made a priority over other efforts that would serve the same mission. That's not a mathematical formula, but I think it is better than anything anybody is applying today to decide which data mining programs to launch. Finally, there was little dispute of CDT's main point: the legal framework as it exists today is not up to the task of dealing with technology's advance. Leslie referred to the "perfect storm" of technological innovation, increased government power and outdated legal protections. The next step is to spell out a workable set of rules that would respond to that environment. The Fair Information Practices provide a starting point.