Report Casts Doubt on Anti-terrorism Tools

• By Dian Schaffhauser
• 10/10/08

A new report from the National Academy of Sciences, part of which was co-authored by an Indiana University School of Law-Bloomington professor, casts doubt on the effectiveness, lawfulness, and appropriateness of using data-based tools such as data-mining and biometrics to fight terrorism.

The report, "Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment," is the product of a three-year study by the Academy's Committee on Technical and Privacy Dimensions of Information for Terrorism Prevention and Other National Goals. It was requested in 2005 by the Department of Homeland Security and the National Science Foundation.

According to the report, automated data-mining techniques that search databases for unusual patterns of activity--widely used in the private sector for spotting consumer fraud--"will be extremely difficult" to use successfully for counterterrorism because of legal, technological, and logistical problems.

The report notes that there is "no scientific consensus" about whether behavioral surveillance techniques, which try to identify terrorists by observing behavior or measuring physiological states, are ready for use at all in counterterrorism. At most, the committee concluded, behavioral surveillance techniques should be used for preliminary screening to identify those who merit follow-up investigation.

According to the report, counterterrorism programs that use personal data inherently raise privacy issues, and if those programs don't work, privacy invasions are likely to be unwarranted.

The report offered two specific recommendations. The first is that all counterterrorism programs that rely on personal data should be evaluated for their effectiveness, lawfulness, and impact on privacy. The second recommendation is for Congress to examine and update privacy laws to reflect dramatic technological changes.

The report provided a detailed framework for performing that analysis, primarily authored by Fred Cate, a professor of law at Indiana U and director of the Center for Applied Cybersecurity Research. Cate also served as a committee member.

The committee's framework divides the analysis of data-based programs into two sets of inquiries: those designed to determine whether a program is or will be effective, and those designed to determine whether it complies with legal requirements and is consistent with American values.

In the wake of the terrorist attacks of September 11, 2001, the United States government has conducted intelligence gathering programs--some classified, some not--that are designed to thwart any future attacks. But the report argues that such tactics often bring innocent people into the process, whether being screened at the airport or being put on a watch list because of a Web site the individual has visited.

Although the report doesn't comment on any specific data-based programs currently in use, many involve the same data mining and biometric monitoring techniques about which the committee expressed such skepticism. For example, the government's Advanced Targeting System analyzes personal data in an effort to identify which airline passengers entering or leaving the country pose risks to national security. The Transportation Security Administration announced in early October that it would begin deploying body heat sensors at airports to attempt to determine which people entering airport buildings were carrying explosives.

Cate said the call for such programs to be evaluated prior to and after their implementation can allow the government to be proactive in its counterterrorism efforts while maintaining the civil liberties of its citizens.

"This report highlights the importance of not letting the pressure to 'do something' in response to terrorist threats cause us to ignore the science, testing, and legal measures necessary to ensure that we do something that works, that will be effective in protecting our nation, and that is consistent with our laws and values," Cate said.

Cate said the committee's recommendations aren't necessarily new.

"Almost all of the report's recommendations have appeared before," Cate said. "The real force of the report is its call on Congress, the executive branch, and the courts to do what they have long known that they should to protect our security and our privacy. This isn't rocket science; it is a question of political will."