Total Info System Totally Touchy By Ryan Singel

Story location: http://www.wired.com/news/politics/0,1283,56620,00.html 02:00 AM Dec. 02, 2002 PT

Can a massive database of information on Americans really preempt terrorist attacks? That's what industry experts are asking about the Pentagon's proposed Total Information Awareness System, which, according to the proposal (PDF), would aggregate on "an unprecedented scale" credit card, medical, school and travel records. Critics say looking for terrorists by rooting around in private, commercial databases of Americans' personal information violates the Fourth Amendment -- not to mention citizens' privacy. Some in the industry even refuse to work on the project on ethical grounds. While the proposal makes clear that designing such databases would require "revolutionary new technology," its goal is to create a working system to hand to law enforcement and intelligence agencies. The Total Information Awareness System and related efforts received $137 million in government funding for the 2003 fiscal year. It is the signature project of the Office of Information Awareness, which operates under the Defense Advanced Research Projects Agency. Leading the initiative is Retired Admiral John Poindexter, who is controversial because of his 1991 conviction (later overturned) for lying to Congress about the Iran-Contra affair. "Terrorists operate in shadowy networks," said Pentagon spokeswoman Jan Walker. "People have to move and plan before committing a terrorist act. Our hypothesis is their planning process has a signature." Project coordinators will start by creating a database of fake transactions mixed with real intelligence data and simulated terrorist "clues." Then they will test the ability of pattern-matching algorithms and data-mining tools to spot the terrorist signatures. "The proposal is do-able and feasible, but the idea of making it into a single window onto disparate information and integrating it on a massive scale is the real challenge," said Chris Sherman, associate editor of Search Engine Watch. Sherman pointed to existing technologies such as software from i2 that the Treasury uses to track financial crimes, as an example of technology that hunts for hidden data patterns. Others in the industry question the system's feasibility. "The kind of things they are looking for are hard to find," said Herb Edelstein, president of datamining company Two Crows. "Terrorism is an adaptive problem. It's pretty unlikely the next terrorist attack will be people hijacking planes and crashing them into buildings. "The project is not going to have near-term contributions to the war on terrorism. It's not clear this is an economically valuable way to fight terrorism." Simson Garfinkel, author of Database Nation: The Death of Privacy in the 21st Century, also has doubts. "Data mining is good for the purpose of increasing sales and figuring out where to place products in stores," he said. "This is very different from figuring out if these products are going to be used

for terrorist activities." Incorrect guesses present problems, too. "With meaningful pattern recognition, the order of magnitude of errors from inferences is huge, something like ten to the third (power)," said Paul Hawken, author of The Ecology of Commerce and the chairman of information mapping software company Groxis. "There would be an incalculable expense to monitor a thousand wrong hits for one correct inference." In fact, Hawken said, Groxis spurned, on principle, an offer from Poindexter's group to get involved in the project. "We make tools for people to make sense of the information in the world, not for the world to make more information out of people," Hawken said. Hawken is skeptical about the project's ability to attract top industry names. He said he knows other people, including those who have worked for the National Security Agency, who refused to work on it for ethical reasons. "I don't know how you profile resentment and anger, but I don't think you do it from how many times someone goes to Wal-Mart," he said. And the project faces other problems. Database fields are not standardized, and the data they contain isn't always reliable. Names get misspelled, digits are transposed, addresses are outdated or incorrect, and few names are unique. "The data quality problem is enormous, but what's alarming is the danger of false positives based on incorrect data," Edelstein said. "Think of the number of people who get in trouble with the law because they have the same name as somebody else." Despite widespread use of Social Security numbers in medical and financial records, there is still no "unique identifier" that would allow the new system to track individuals with total accuracy.
Wired News: Staff | Contact Us | Advertising We are translated daily into Spanish, Portuguese, and Japanese © Copyright 2002, Lycos, Inc. All Rights Reserved.

November 22, 2002 Agency Weighed, but Discarded, Plan Reconfiguring the Internet By JOHN MARKOFF The Pentagon research agency that is exploring how to create a vast database of electronic transactions and analyze them for potential terrorist activity considered but rejected another surveillance idea: tagging Internet data with unique personal markers to make anonymous use of some parts of the Internet impossible. The idea, which was explored at a two-day workshop in California in August, touched off an angry private dispute among computer scientists and policy experts who had been brought together to assess the implications of the technology. The plan, known as eDNA, called for developing a new version of the Internet that would include enclaves where it would be impossible to be anonymous while using the network. The technology would have divided the Internet into secure "public network highways," where a computer user would have needed to be identified, and "private network alleyways," which would not have required identification. Several people familiar with the eDNA discussions said such secure areas might have first involved government employees or law enforcement agencies, then been extended to security-conscious organizations like financial institutions, and after that been broadened even further. A description of the eDNA proposal that was sent to the 18 workshop participants read in part: "We envisage that all network and client resources will maintain traces of user eDNA so that the user can be uniquely identified as having visited a Web site, having started a process or having sent a packet. This way, the resources and those who use them form a virtual `crime scene' that contains evidence about the identity of the users, much the same way as a real crime scene contains DNA traces of people." The proposal would have been one of a series of technology initiatives that have been pursued by the Bush administration for what it describes as part of the effort to counter the potential for further terrorist attacks in the Unites States. Those initiatives include a variety of plans to trace and monitor the electronic activities of United States citizens. In recent weeks another undertaking of the the Defense Advanced Research Projects Agency, or Darpa, the Pentagon research organization, has drawn sharp criticism for its potential to undermine civil liberties. That project is being headed by John M. Poindexter, the retired vice admiral who served as national security adviser to President Ronald Reagan. Dr. Poindexter returned to the Pentagon in January to direct the research agency's Information Awareness Office, created in the wake of the Sept. 11 attacks. That office has been pursuing a surveillance system called Total Information Awareness that would permit intelligence analysts and law enforcement officials to mount a vast dragnet through electronic transaction data ranging from credit card information to veterinary records, in the United States and internationally, to hunt for terrorists. In contrast, with eDNA the user would have needed to enter a digital version of unique personal identifiers, like a fingerprint or voice, in order to use the secure enclaves of the network. That would have been turned into an electronic signature that could have been appended to every Internet message or activity and thus tracked back to its source. The eDNA idea was originally envisioned in a private brainstorming session that included the director of Darpa, Dr. Tony Tether, and a number of computer researchers, according to a person with intimate knowledge of the proposal. At the meeting, this person said, Dr. Tether asked why Internet attacks could not be traced back to their point of origin, and was told that given the current structure of the Internet, doing so was frequently not possible. The review of the proposal was financed by a second Darpa unit, the Information Processing Technology Office. This week a Darpa spokeswoman, Jan Walker, said the agency planned no further financing for the idea. In

explaining the reason for the decision to finance the review in the first place, Ms. Walker said the agency had been "intrigued by the difficult computing science research involved in creating network capabilities that would provide the same levels of responsibility and accountability in cyberspace as now exist in the physical world." Darpa awarded a $60,000 contract to SRI International, a research concern based in Menlo Park, Calif., to investigate the concept. SRI then convened the workshop in August to evaluate its feasibility. The workshop brought together a group of respected computer security researchers, including Whitfield Diffie of Sun Microsystems and Matt Blaze of AT&T Labs; well-known computer scientists like Roger Needham of Microsoft Research in Cambridge, England; Michael Vatis, who headed the National Infrastructure Protection Center during the Clinton administration; and Marc Rotenberg, a privacy expert from the Electronic Privacy Information Center. The workshop was led by Mr. Blaze and Dr. Victoria Stavridou, an SRI computer scientist, one of those who had originally discussed the eDNA concept with Darpa officials. At the workshop, the idea was criticized by almost all the participants, a number of them said, on both technical and privacy grounds. Several computer experts said they believed that it would not solve the problems it would be addressing. "Before people demand more surveillance information, they should be able to process the information they already have," Mark Seiden, an independent computer security expert who attended the workshop, said in an interview. "Almost all of our failures to date have come from our inability to use existing intelligence information." Several of the researchers told of a heated e-mail exchange in September over how to represent the consensus of the workshop in a report that was to be submitted to Darpa. At one point, Mr. Blaze reported to the group that he had been "fired" by Dr. Stavridou, of SRI, from his appointed role of writing the report presenting that consensus. In e-mail messages, several participants said they believed that Dr. Stavridou was hijacking the report and that the group's consensus would not be reported to Darpa. "I've never seen such personal attacks," one participant said in a subsequent telephone interview. In defending herself by e-mail, Dr. Stavridou told the other panelists, "Darpa asked SRI to organize the meeting because they have a deep interest in technology for identifying network miscreants and revoking their network privileges." In October, Dr. Stavridou traveled to Darpa headquarters in Virginia and — after a teleconference from there that was to have included Mr. Blaze, Mr. Rotenberg and Mr. Vatis was canceled — later told the panelists by e-mail that she had briefed several Darpa officials on her own about the group's discussions. In that e-mail message, sent to the group on Oct. 15, she reported that the Darpa officials had been impressed with the panel's work and had told her that three Darpa offices, including the Information Awareness Office, were interested in pursuing the technology. This week, however, in response to a reporter's question, Darpa said it had no plans to pursue the technology. And an SRI spokeswoman, Alice Resnick, said yesterday, "SRI informed Darpa that the costs and risks would outweigh any benefit." Dr. Stavridou did not return phone calls asking for comment. Copyright The New York Times Company

Sign up to vote on this title
UsefulNot useful