If you’re wondering why the collection and analysis of counterterrorist intelligence still disappoints, a Department of Homeland Security document provides a glimpse at part of the answer. Congress requires the DHS to report annually on the privacy implications of any “data mining” activities it conducts. Data mining is a sophisticated information-analysis technique that sets computers to work sifting through electronic databases for significant patterns—the predilection of people who subscribe to Golfing to take Bermuda vacations, say. Companies and marketers constantly mine publicly available information and commercial data banks (such as credit-card records) to find new ways of understanding and enticing consumers; no one complains about any alleged privacy intrusion.
But when Pentagon researchers proposed using the same techniques after 9/11 to find suspicious patterns of behavior that could indicate terrorist planning—large purchases of fertilizer, say, by people who had traveled through Yemen—privacy advocates and opponents of the Bush administration went ballistic. These self-appointed privacy defenders claimed that the Pentagon researchers would unleash a surveillance monster to prey on the sanctity of the American hearth and home. The charges were baseless; in fact, the government was already using data mining for fraud and criminal investigations, and had somehow avoided metamorphosing into a police state. But in September 2003, the Senate shut down the proposed Pentagon initiative, the Total Information Awareness program.
Ever since the Total Information Awareness debacle, intelligence data-mining programs have been circumscribed by irrational rules that limit how insensate computers can access government intelligence databases. A human analyst, if he were capable of doing so, could legally eyeball the billions of pieces of information in those databases without triggering the same privacy concerns—but any government agency that uses computers to engage in this widespread private-sector practice must report in detail to Congress on its activities. Most disastrously, intelligence analysts are largely prohibited from using data from commercial data aggregators, such as Experian and ChoicePoint, to detect identity and economic fraud, even though marketers use those data every day. Yet even with these extreme regulatory inhibitions on data mining and intelligence analysis, an entire office in the Department of Homeland Security still spends its time policing privacy issues within the department. The continued existence of such an office, of course, depends on its discovering privacy issues for the bureaucrats to police.
DHS’s Privacy Office has just published its 2009 report on DHS’s data-mining activities, which are aimed at assessing the terror or criminal risk of cargo and passengers. Bear in mind that when engaged in data mining, DHS does not search for any individual’s specific data—“Show me everything you’ve got on Umar Farouk Abdulmutallab,” say. Rather, its computer searches are general, looking only for patterns—anomalous itineraries for freight, for example—that seem to suggest a higher degree of risk. The following lengthy passage describes the internal privacy reviews that Congress requires from the department; it’s a peerless example of the red tape that strangles intelligence-gathering.
DHS uses three main documents related to privacy compliance: (1) the Privacy Threshold Analysis (PTA); (2) the PIA [Privacy Impact Assessment]; and (3) the SORN [System of Records Notice]. Each of these documents plays a distinct role in the Department’s privacy activities.
• PTAs: The PTA is the first document completed by a DHS component seeking to implement a system, program, or project. The PTA identifies whether the system, program, or project is a Privacy Sensitive System (i.e., a system that collects or maintains PII or otherwise impacts privacy). The PTA also identifies whether additional privacy compliance documentation such as a PIA or SORN is required.
• PIAs: PIAs are an important tool for examining the privacy impact of IT systems, programs, or projects. The PIA is the method by which the DHS Privacy Office’s Compliance Group reviews system management activities in key areas such as security and how/when information is collected, used, and shared. If a PIA is required, the DHS component will draft the PIA for review by the component Privacy Officer/PPOC and component counsel. Part of the PIA analysis includes determining whether an existing SORN appropriately covers the activity or a new SORN is required. Once the PIA is approved at the component level, the component Privacy Officer or PPOC submits it to the DHS Privacy Office Compliance Group for review and approval by the Chief Privacy Officer.
• SORNs: SORNs provide notice to the public regarding Privacy Act information collected by a system of records, as well as insight into how information is used, retained, and may be corrected. Part of the Privacy Act analysis requires determining whether certain Privacy Act exemptions should be taken to protect the records from disclosure to an individual because of law enforcement and/or national security reasons. If a SORN is required, the program manager will work with the component Privacy Officer or PPOC and component counsel to write a SORN for submission to the DHS Privacy Office.
Multiply this approach across every intelligence-gathering agency, and you have a sense of how cumbersome the process of intelligence analysis is. Large amounts of time and energy are spent complying with reporting requirements, rather than getting relevant information. These mandated reviews represent the encrusted pressure of interest groups pursuing their own hobbyhorses, not the broader public interest. They reinforce incentives to be slow and plodding in pursuing intelligence, because crushing civil-liberties violations and liabilities loom if agents try to be too agile and creative.