The government spent at least $500 million on now-shuttered security programs intended to uncover terrorist threats by sifting through personal data – programs that privacy and security experts say were shut down due to inattention to Americans’ privacy concerns.
The programs, developed after 9/11, have either lost their federal funding or been sent back to the drawing board. Their cancellations not only cost money and diverted resources but left holes in America’s homeland security infrastructure, according to several security experts.
More details on five major federal programs that were dismantled: Operation TIPS, MATRIX, CAPPS II, Secure Flight, Total Information Awareness
“The more mistakes you make, the less people trust what you are doing, and the less faith people have in these tools,” said Daniel Prieto, director of the Homeland Security Center at the Reform Institute, a bipartisan think tank promoting civic participation. “You run the risk of having a very important tool taken away because you stumbled on it too much.”
The discontinued security programs covered a range of activities, from mining the consumer histories of airline passengers to encouraging postal workers to report suspicious activity along their routes.
But according to Michael Vatis, former executive director of the bipartisan Markle Foundation Task Force on National Security in the Information Age, they all shared one common feature: “Not enough attention was paid to how to use information to prevent terrorism while at the same time protecting privacy.”
One result is that U.S. airports still rely on the same system of airline passenger risk screening that was in place before Sept. 11.
Two separate efforts to update airline passenger screening at U.S. airports ran aground after members of Congress and the public voiced concern about how personal information was being used.
The first, Computer Assisted Passenger Prescreening System II, or CAPPS II, was canceled in August 2004 after congressional hearings and an internal Department of Homeland Security review that faulted its privacy practices. The same month DHS launched Secure Flight, a scaled back pre-screening system. The Government Accountability Office, Congress’ investigative arm, criticized Secure Flight’s managers for not initially disclosing the scope of Secure Flight’s use of personal information obtained from commercial data brokers. The program was suspended in February 2006.
But many security experts believe this has left the nation unnecessarily vulnerable.
“The system we were moving toward would have been useful in preventing another terrorist attack,” said Joseph Whitley, DHS’ former general counsel.
Heather Mac Donald, senior fellow at the conservative Manhattan Institute, said privacy concerns have prevented the government from making full use of technology.
“The problem in most intelligence agencies today or up to 9/11 was they were not using the powers available to them because they were so worried about a hypothetical privacy problem,” she said.
However, many privacy advocates and other security experts said these programs would pass public scrutiny and be more effective if privacy concerns are taken into consideration from the start.
Jim Dempsey, policy director of the privacy advocacy group Center for Democracy and Technology, believes effective national security programs must have explicit goals and must ensure that the information collected is necessary to accomplish those goals.
“Asking the privacy questions upfront will make for better programs, in terms of effectiveness and in terms of enhancing national security.”
Bruce Schneier, security expert and founder and chief technical officer of network security firm Counterpane Internet Security Inc., agreed. “We don’t have to choose between security and privacy. Often the best ways to protect security also protect privacy.”
The Reform Institute’s Prieto said the executive branch has taken an ad hoc approach in the development of many of these programs. “They’re coming up with creative projects and basically building them with insufficient prior coordination with the other branches of government.” He added that there has “not been proper forethought given toward the rules of the road that these large data set programs should abide by.”
Addressing such problems after new programs have been introduced to the public is often ineffective. Even when programs are scaled back due to privacy concerns, it typically is too late to stem the public outcry.
Shortly after the 2001 attacks, representatives of Seisint Inc. said they could identify individuals with a “high terrorism factor.” The Florida company went on to provide the software for the MATRIX pilot project the Multistate Anti-terrorism Information Exchange, which received federal funding.
People placed on the high-terrorism list fit a profile of potential terrorists based on personal information mined from commercial databases and other sources. The list caused a stir, and law enforcement officials eventually chose not to add the mechanism to the system used in MATRIX.
However, MATRIX was still classified as a data-mining program by the GAO and its name continued to be associated with the high terrorism factor list. Its federal funding was discontinued in April 2005.
“We sort of lurch from one program to another,” said Dempsey, adding, “Unfortunately, the government has done a poor job of learning from its mistakes.”
Total Information Awareness had budgeted approximately $4 million a year to the development of privacy safeguards although the Defense Department’s Office of the Inspector General deemed the measures insufficiently comprehensive.
When funding for Total Information Awareness was eliminated, several of its related programs were transferred to the intelligence community and are now classified. According to TIA’s program manager Robert Popp, “What did not survive was the $4 million investment in privacy.”