News21 A Journalism Initiative of the Carnegie and Knight Foundations

Project Banner

Medill Privacy in an Age of Security

Northwestern University's News21 fellows look at America's new system of surveillance, developed by the government with the help of private data mining firms after 9/11. One story reports on how the Social Security Administration's massive databases are being used in homeland security investigations; another uncovers new details about a secretive program in which the Department of Education shared personal information on hundreds of student loan applicants with the FBI. Two immersive interactive presentations explore the digital trails we leave behind in our daily lives and government data-mining initiatives that might incorporate information about you.

The Privacy Problem: Homeland Security Failures

By Laura Spadanuta, September 1, 2006

The government has spent at least $500 million experimenting with programs that aimed to dig through the details of people’s lives as a way to uncover terrorist threats and prevent future attacks.

The government spent at least $500 million on now-shuttered security programs intended to uncover terrorist threats by sifting through personal data – programs that privacy and security experts say were shut down due to inattention to Americans’ privacy concerns.

The programs, developed after 9/11, have either lost their federal funding or been sent back to the drawing board. Their cancellations not only cost money and diverted resources but left holes in America’s homeland security infrastructure, according to several security experts.

More details on five major federal programs that were dismantled: Operation TIPS, MATRIX, CAPPS II, Secure Flight, Total Information Awareness

“The more mistakes you make, the less people trust what you are doing, and the less faith people have in these tools,” said Daniel Prieto, director of the Homeland Security Center at the Reform Institute, a bipartisan think tank promoting civic participation. “You run the risk of having a very important tool taken away because you stumbled on it too much.”

The discontinued security programs covered a range of activities, from mining the consumer histories of airline passengers to encouraging postal workers to report suspicious activity along their routes.

But according to Michael Vatis, former executive director of the bipartisan Markle Foundation Task Force on National Security in the Information Age, they all shared one common feature: “Not enough attention was paid to how to use information to prevent terrorism while at the same time protecting privacy.”

One result is that U.S. airports still rely on the same system of airline passenger risk screening that was in place before Sept. 11.

Two separate efforts to update airline passenger screening at U.S. airports ran aground after members of Congress and the public voiced concern about how personal information was being used.

Image: Airport Security
A traveller carrying a passport from the Republic of China, right, looks on as a TSA workers searches through her carry-on baggage for liquid items at a security checkpoint in the main terminal of Denver International Airport on Thursday, Aug. 10, 2006. A day after news of a potentially devastating terror plot prompted restrictive rules barring airline passengers from carrying liquids onto planes, screening lines at Denver International have shrunk to normal levels as travellers learned of the rules. (AP Photo/David Zalubowski)

The first, Computer Assisted Passenger Prescreening System II, or CAPPS II, was canceled in August 2004 after congressional hearings and an internal Department of Homeland Security review that faulted its privacy practices. The same month DHS launched Secure Flight, a scaled back pre-screening system. The Government Accountability Office, Congress’ investigative arm, criticized Secure Flight’s managers for not initially disclosing the scope of Secure Flight’s use of personal information obtained from commercial data brokers. The program was suspended in February 2006.

But many security experts believe this has left the nation unnecessarily vulnerable.

“The system we were moving toward would have been useful in preventing another terrorist attack,” said Joseph Whitley, DHS’ former general counsel.

Heather Mac Donald, senior fellow at the conservative Manhattan Institute, said privacy concerns have prevented the government from making full use of technology.

“The problem in most intelligence agencies today or up to 9/11 was they were not using the powers available to them because they were so worried about a hypothetical privacy problem,” she said.

However, many privacy advocates and other security experts said these programs would pass public scrutiny and be more effective if privacy concerns are taken into consideration from the start.

Jim Dempsey, policy director of the privacy advocacy group Center for Democracy and Technology, believes effective national security programs must have explicit goals and must ensure that the information collected is necessary to accomplish those goals.

“Asking the privacy questions upfront will make for better programs, in terms of effectiveness and in terms of enhancing national security.”

Image: Sept11 Commission
Thomas Kean, left, former chairman of the Sept. 11 commission, and former vice chairman Lee H. Hamilton, listen to comments by other panel members and reporters as they discuss progress on the recommendations of their 2004 report, during a news conference in Washington, Nov. 14, 2005. What the Bush administration still needs to do, the review said, is to adopt standards for terror suspects that are in accord with international law. (AP Photo/J. Scott Applewhite)

Bruce Schneier, security expert and founder and chief technical officer of network security firm Counterpane Internet Security Inc., agreed. “We don’t have to choose between security and privacy. Often the best ways to protect security also protect privacy.”

The Reform Institute’s Prieto said the executive branch has taken an ad hoc approach in the development of many of these programs. “They’re coming up with creative projects and basically building them with insufficient prior coordination with the other branches of government.” He added that there has “not been proper forethought given toward the rules of the road that these large data set programs should abide by.”

Addressing such problems after new programs have been introduced to the public is often ineffective. Even when programs are scaled back due to privacy concerns, it typically is too late to stem the public outcry.

Shortly after the 2001 attacks, representatives of Seisint Inc. said they could identify individuals with a “high terrorism factor.” The Florida company went on to provide the software for the MATRIX pilot project the Multistate Anti-terrorism Information Exchange, which received federal funding.

People placed on the high-terrorism list fit a profile of potential terrorists based on personal information mined from commercial databases and other sources. The list caused a stir, and law enforcement officials eventually chose not to add the mechanism to the system used in MATRIX.

However, MATRIX was still classified as a data-mining program by the GAO and its name continued to be associated with the high terrorism factor list. Its federal funding was discontinued in April 2005.
“We sort of lurch from one program to another,” said Dempsey, adding, “Unfortunately, the government has done a poor job of learning from its mistakes.”

Total Information Awareness had budgeted approximately $4 million a year to the development of privacy safeguards although the Defense Department’s Office of the Inspector General deemed the measures insufficiently comprehensive.

When funding for Total Information Awareness was eliminated, several of its related programs were transferred to the intelligence community and are now classified. According to TIA’s program manager Robert Popp, “What did not survive was the $4 million investment in privacy.”

Blog Reactions

See all results ...