Big Brother and Another Overblown Privacy Scare

John Poindexter has no more power to compile a computer dossier on you than I do

Editorial writers and other guardians of privacy have had a field day with the reports that former Reagan National Security Adviser John M. Poindexter has come back as a cross between Dr. Strangelove and Big Brother. Poindexter is watching you, or soon will be, his detractors suggest, as they lovingly detail his 1990 convictions (later reversed on appeal) for his lies to Congress about the Iran-Contra affair. The Web site for Poindexter's "Total Information Awareness" program at the Pentagon foolishly fans such fears, featuring the slogan "Scientia Est Potentia"—Knowledge Is Power—complete with an ominous, all-seeing eye atop a pyramid.

Poindexter is "getting the 'data-mining' power to snoop on every public and private act of every American," hyperventilated William Safire of The New York Times, in a November 14 column that helped touch off a frenzy of similar stuff. The Homeland Security Act, claimed Safire, would put Poindexter in control of a vast government database, containing "every purchase you make with a credit card, every magazine subscription you buy and medical prescription you fill, every Web site you visit ... complaints from nosy neighbors to the FBI," and much more.

Blather, nonsense, piffle, and flapdoodle. Poindexter has no more (and probably less) power to compile a computer dossier on you than I do. He has no more power to invade your privacy than the Pentagon procurement officer for a new machine gun has to shoot you with it. He might like to create a grand central database in which to fish through billions of transactions and other records for clues on possible terrorists. But he got no such authority from the homeland security bill and—given his Iran-Contra baggage—he never will get it.

The job of the brainy, technologically adept Poindexter is to develop technology, not set policy. He hopes (says his program's Web site) to "revolutionize the ability of the United States to detect, classify, and identify foreign terrorists—and decipher their plans." The goal—one to which many privacy guardians seem stunningly indifferent—is to thwart terrorist attacks and thus to save lives.

Poindexter is a high-level official of the Defense Advanced Research Projects Agency, which helped create the Internet. His office is working on what he calls a "prototype system," using "synthetic transactions" and other, mostly simulated data to test the capacity of computer-based pattern-recognition techniques known as "data-mining" to home in on people who might be terrorists. His office vaguely acknowledges that it is already providing technology to military intelligence agencies for use in analyzing data these agencies have legally obtained. Because of the possible effect on privacy of these current activities, and because any broader system could ultimately work well only by continuously monitoring all of us—or at least all foreigners—Congress should do some continuous monitoring of its own and explore whether to strengthen protections such as the Privacy Act.

Underneath the flap about Poindexter, a well-meaning patriot cursed with abysmal judgment, lie important questions that have been glossed over as though inconsequential. How can we identify future Mohamed Attas before they murder hundreds, thousands, or even hundreds of thousands of us? What kinds of data-mining might penetrate their plans before it is too late? What exactly would be the risks to privacy, and how can we minimize them? Might this be the only way "for us to survive as a civilization," as Stanford University computer scientist Jeffrey Ullman suggested in an interview with Salon's Farhad Manjoo?

"By looking at all kinds of information about citizens and visitors, we would know who's renting Ryder trucks or buying fertilizer for bombs or fermenters to make biological warfare agents, or who is visiting Internet Web sites to find instructions for designing a nuclear weapon." That's not Poindexter talking. That's Ashton Carter, a former Clinton Defense Department official who is now a professor at Harvard's John F. Kennedy School of Government, as quoted in the Carnegie Reporter. Carter is one of 44 members of a high-powered task force sponsored by the Markle Foundation, which explored the potential uses (and abuses) of data-mining in a thoughtful October 7 report titled "Protecting America's Freedom in the Information Age."

Data-mining and analysis can mean anything from a simple Google search of a known suspect's name to constant sifting by supercomputers through vast private and governmental databases to identify people with purchasing, travel, or behavioral patterns that experts consider to be shared by terrorists. The Markle report describes how "the use of watchout lists.... and access to quite modest forms of data" could have thwarted the September 11 attacks.

For starters, running the names of all airline ticket purchasers through the government's "watch list" of suspected terrorists would have flagged two of the 19 hijackers-to-be in August 2001. Checking their addresses could have led to three more, including Mohamed Atta. His phone records could have led to another five. An 11th had used the same frequent flier number as one of first two. Checks on recent flight-school attendees, expired visas, and other data might have led to the rest.

Future terrorists using false names, the Markle report notes, "can still be identified ... with a biometric algorithm derived from a photograph of the face" or fingerprints, which "can go into a government database when ... someone applies for a visa, or is arrested, or receives a driver's license, for instance." Such data, together with intelligence about suspected terrorists and their "networks of contacts and support," could be used to screen people seeking access to dangerous pathogens, extremely hazardous materials, or critical electronic networks.

Should we bar this sort of thing because it would subject some innocent people to unwelcome scrutiny? Or because some rogue officials might be willing to risk exposure and disgrace by leaking or threatening to leak information about pornographic video rentals, extramarital adventures, or the like to harass or blackmail political dissidents? Should we eschew fishing expeditions through Ryder truck rental records and fertilizer purchases?

Not if we want to prevent terrorist mass murders. And I, for one, am a lot less worried about the government snooping through my credit card bills and psychiatric records than about being anthraxed in the subway or killed by a nuclear explosion in my downtown Washington office.

We should, of course, minimize the risks of abuse, error, and invasion of privacy. The Markle task force compiles page after page of suggestions, including "tools that create audit trails of parties who carry out searches, that anonymize and minimize information to the greatest extent possible, and that prevent ... dissemination of irrelevant information to unauthorized persons or entities."

The important question is whether the risks to privacy posed by any particular data-mining proposal outweigh the hope that it might save lives. The answer, in every case, will depend on careful cost-benefit analysis. For now, rather than running screaming from the room or lobbying Congress to "shut down" DARPA's work on this potentially life-saving technology—as The New York Times idiotically demanded—we should remedy the government's current inability even to "make sense of the prodigious amounts of information it already has," in the words of Philip Zelikow, executive director of the Markle task force.

Far from emulating Big Brother, the government has so far failed even to pull together widely available, not-very-private data that could be useful in screening airline passengers, transporters of extremely hazardous materials, and so on. Indeed, a Senate Appropriations subcommittee recently killed a $20 million program to research such modest forms of data analysis, says Zelikow, who is also the director of the University of Virginia's Miller Center of Public Affairs and a member of President Bush's Foreign Intelligence Advisory Board.

The Markle report expresses skepticism about the effectiveness of the more exotic—and scarier—approach of "endless mining of vast new government data warehouses to find intricate correlations," especially those based on psychological profiles. By generating large numbers of false positives, Zelikow says, that approach could lead to intrusions on innocent people, ill will, lawsuits, and a political backlash against even the most effective and least intrusive forms of data-mining. Those who are serious about saving lives understand the need for safeguards to allay concerns about privacy.

And "the greatest danger to American privacy," Zelikow says, "would arise after another major terrorist attack. Those who pose privacy and security as warring goals may thus end up getting neither. The emerging center on these issues will be made up of people in both parties who see privacy and security as complementary goals that have to be achieved together and in balance."