Features

May 28, 2004 -- Dawn S. Onley -- GCN Staff

A special committee has released findings on ways the Defense Department can use data mining to help identify terrorists while also protecting the privacy of private citizens.

Among other things, the committee calls for a regulatory framework for all DOD data mining, a policy-level privacy officer and a panel of external advisers to identify and resolve privacy issues.

The Technology and Privacy Advisory Committee (TAPAC), appointed by Defense secretary Donald Rumsfeld, came together in February 2003 to examine ways the government could use advanced information technologies to identify terrorists before they act.

The committee was appointed around the same time legislators were in heated battle with officials in the Defense Advanced Research Projects Agency over its Terrorism Information Awareness program.

TIA was a computerized terrorist tracking system designed to collect and correlate information from disparate databases ranging from financial to health, to help the government track down potential terrorists. Congress terminated most of the program�s funding last fall.

The committee was asked to come up with ways DOD could develop safeguards to ensure that data mining techniques are consistent with U.S. law concerning privacy.

Over the course of its background briefings, research and public hearings, committee members called more than 60 witnesses from DOD, other government agencies, industry, academia and advocacy groups, to testify.

Although TAPAC's final report (available from http://www.sainc.com/tapac/finalReport.htm) was sent to Rumsfeld in March, it was released Thursday. Among the 12 recommendations:

TAPAC Recommendations

RECOMMENDATION 1
DOD should safeguard the privacy of U.S. persons when using data mining to fight terrorism. 'Data mining' is defined to mean: searches of one or more electronic databases of information concerning U.S. persons, by or on behalf of an agency or employee of the government.

RECOMMENDATION 2
The Secretary should establish a regulatory framework applicable to all data mining conducted by, or under the authority of, DOD, known or reasonably likely to involve personally identifiable information concerning U.S. persons. The requirements of this section apply to all DOD programs involving data mining concerning U.S. persons, with three exceptions: data mining (1) based on particularized suspicion, including searches of passenger manifests and similar lists; (2) that is limited to foreign intelligence that does not involve U.S. persons; or (3) that concerns federal government employees in connection with their employment. Data mining that is limited to information that is routinely available without charge or subscription to the public?on the Internet, in telephone directories, or in public records to the extent authorized by law?should be conditioned only on the written authorization described in Recommendation 2.1 and the compliance audits described in Recommendation 2.5. All other data mining concerning U.S. persons should comply with all of the following requirements:

RECOMMENDATION 2.1
Written finding by agency head authorizing data mining. Before an agency can employ data mining known or reasonably likely to involve data concerning U.S. persons, the agency head should first make a written finding that complies with the requirements of this recommendation authorizing the data mining.

An agency head may make the written finding described above either for programs that include data mining as one element, and data mining concerning U.S. persons may occur, or for specific applications of data mining where the use of information known or likely to concern U.S. persons is clearly anticipated.

RECOMMENDATION 2.2
Technical requirements for data mining. Data mining of databases known or reasonably likely to include personally identifiable information about U.S. persons should employ or be subject to the requirements of this recommendation (i.e., data minimization, data anonymization, audit trail, security and access, and training).

RECOMMENDATION 2.3
Third-party databases. Data mining involving databases from other government agencies or from private industry may present special risks. Such data mining involving, or reasonably likely to involve, U.S. persons, should adhere to the principles set forth in this recommendation.

RECOMMENDATION 2.4
Personally identifiable information. It is not always possible to engage in data mining using anonymized data. Moreover, even searches involving anonymized data will ultimately result in matches which must be reidentified using personally identifiable information. The use of personally identifiable information known or reasonably likely to concern U.S. persons in data mining should adhere to the following provisions:

An agency within DOD may engage in data mining using personally identifiable information known or reasonably likely to concern U.S. persons on the condition that, prior to the commencement of the search, DOD obtains from the Foreign Intelligence Surveillance Court a written order authorizing the search based on the existence of specific and articulable facts that meet the requirements of this recommendation.

DOD may seek the approval from the Foreign Intelligence Surveillance Court either for programs that include data mining as one element, and data mining of personally identifiable information known or likely to include information on U.S. persons may arise, or for specific applications of data mining where the use of personally identifiable information known or likely to include information on U.S. persons is clearly anticipated.

An agency may reidentify previously anonymized data known or reasonably likely to concern a U.S. person on the condition that DOD obtains from the Foreign Intelligence Surveillance Court a written order authorizing the reidentification based on the existence of specific and articulable facts that meet the requirements of this recommendation.

Without obtaining a court order, the government may, in exigent circumstances, search personally identifiable information or reidentify anonymized information obtained through data mining if it meets the requirements of this recommendation.

RECOMMENDATION 2.5 Auditing for compliance. Any program or activity that involves data mining known or reasonably likely to include personally identifiable information about U.S. persons should be audited not less than annually to ensure compliance with the provisions of this recommendation and other applicable laws and regulations.

RECOMMENDATION 3
DOD should, to the extent permitted by law, support research into means for improving the accuracy and effectiveness of data mining systems and technologies, technological and other tools for enhancing privacy protection, and the broader legal, ethical, social, and practical issues in connection with data mining concerning U.S. persons.

...

For additional information, see for example Epic story and GCN story.

See also Washington Post Story: Common Sense and Computer Analysis, by By Heather Mac Donald (May 31, 2004), critical of TAPAC recommendations.