Homeland Security Watch

Yesterday the White House issued a new directive intended to coordinate efforts by Federal departments and agencies to collect, store, use, analyze, and share biometric and associated biographic and contextual information of “known and suspected terrorists.”

The joint national security and homeland security directive, known as NSPD-59/HSPD-24, seeks to enhance government capabilities in managing biometric data about suspected terrorists. This directive refers to a “Federal framework for applying existing and emerging biometric technologies to the collection, storage, use, analysis, and sharing of data in identification and screening processes.” The framework is intended to better structure the various federal efforts focused on biometric identification for national security purposes as part of “a layered approach to identification and screening of individuals.”

This dovetails well with the post earlier this week about the discussion with Patty Cogswell of the DHS Screening Coordiantion Office. Note also the potential relationship between this directive and efforts underway at the FBI (Next Generation Identification) and at DHS (Biometric Storage System).

The following orders, directives, and strategy documents bear on this directive’s implementation:
• Executive Order 12881 (Establishment of the National Science and Technology Council);
• Homeland Security Presidential Directive 6 (HSPD 6) (Integration and Use of Screening Information to Protect Against Terrorism);
• Executive Order 13354 (National Counterterrorism Center);
• Homeland Security Presidential Directive 11 (HSPD 11) (Comprehensive Terrorist Related Screening Procedures);
• Executive Order 13388 (Further Strengthening the Sharing of Terrorism Information to Protect Americans);
• National Security Presidential Directive 46/Homeland Security Presidential Directive 15 (NSPD-46/HSPD-15) (U.S. Policy and Strategy in the War on Terror);
• 2005 Information Sharing Guidelines;
• 2006 National Strategy for Combating Terrorism;
• 2006 National Strategy to Combat Terrorist Travel;
• 2007 National Strategy for Homeland Security;
• 2007 National Strategy for Information Sharing; and
• 2008 United States Intelligence Community Information Sharing Strategy.

The main thrust behind HSPD-24 is an intention to make all biometric and associated biographic and contextual information of threatening persons available to all agencies. Sounds sweeping. The HSPD does make explicit that the scope here is to enable information sharing across the Executive branch, not to collect more biometric data. That the Assistant to the President for Homeland Security and Counterterrorism is the primary person responsible for “interagency policy coordination on all aspects of this directive,” this may not mean much. That position has been vacant since last year.

UPDATE: The day before I wrote this post the President named Fran Townsend’s successor. Thomas P. Bossert is the new Deputy Assistant to the President for Homeland Security. This is a promotion from his job as Special Assistant to the President for Homeland Security and Senior Director for Preparedness Policy. Bossert also served as Director of Infrastructure Policy on the HSC staff and, before that, as Deputy Director in the Office of Legislative Affairs at DHS’s former Emergency Preparedness and Response Directorate.

Waiting in the HLSWatch.com inbox upon my return from Big Sky, Montana, were scanned copies of correspondence between DHS Assistant Secretary for Policy Stewart Baker and Montana Attorney General Mike McGrath about the state’s request to opt out of the REAL ID Act.

DHS granted an extension on Friday to the state of Montana so that it can comply with the REAL ID Act. The only thing is that Montana never asked for an extension. Montana governor Brian Schweitzer made news over his intention to defy the law passed by Congress in 2005. Schweitzer is leading a charge (joined by Maine, South Carolina, New Hampshire, and Oklahoma) to oppose the REAL ID Act and any efforts by DHS to impose penalties for non-compliance.

The 9/11 Commission recommended that the U.S. rationalize the state identification regime in order to reduce the risk of fraud (suspected to aid terrorists and criminals alike). The Commission argued that the federal government should “set standards for the issuance of … driver’s licenses.” The REAL ID Act requires that a standardized driver’s license be used for “official purposes.” At this point, DHS proposes to define “official purposes” of a REAL ID as accessing federal facilities and nuclear power plants and boarding commercial aircraft. The main beef states have with the Act is the lack of funding to pay for the mandate. DHS is stretching out the compliance period over almost ten years (2014) to make it easier on states, but that only avoids the REAL problem according to Governor Schweitzer. Schweitzer and the Montana state legislature oppose it on principle.

(It sure doesn’t help that the Secretary suggested contrarians should “grow up” about security measures, such as the REAL ID provisions. The statement emboldened critics to examine his tenure more closely and shift the focus away from REAL ID.)

Montana seeks a complete waiver, but DHS’s Stewart Baker explained in a letter to Montana’s Attorney General that DHS has only the authority to carry out the statute or grant extensions to state’s that “meet the requirements” of the REAL ID Act.

Frankly, after Montana’s governor has called the law “nonsensical”, “kooky,” and “hare-brained,” and invited other states to join him in a showdown over “the DHS coercion to comply,” I’m impressed with Baker’s dispassionate response. Baker wrote in a response the same day he received McGrath’s letter:

Under the statute, the Department [of Homeland Security] can only grant an extension of the compliance deadline [as opposed to a waiver.] Therefore, I can only provide the relief you are seeking by treating your letter as a request for an extension.

Of course, Schweitzer’s whole deal is that he’ll never seek an extension because it would be interpreted as intention to implement the Act.

Additional public information about the developing cybersecurity policy can be found in an interview with DNI McConnell in the Jan 21, 2008, issue of The New Yorker. In it, interviewer Lawrence Wright describes McConnell’s path to prioritizing cybersecurity, the scale of the challenge to secure both government and private networks, and some of the unique characteristics of the plan that invoke privacy concerns. As noted in yesterday’s post, the President requested $436 million to fund cybersecurity initiatives likely to be driven by this strategy.

Highlights:
• In May 2007, at a meeting with the President and several cabinet members, McConnell asked for authority to wage information warfare against the tech savvy insurgents in Iraq. McConnell identified computer-network defense as an area in which the U.S. was under-invested. The President then charged McConnell to craft a security strategy, not only for government systems but also for American industry and private individuals.

• McConnell’s Cybersecurity Policy, which is still in draft, recommends reducing the access points between government computers and the Internet from two thousand to fifty.

• McConnell expresses concern about private sector defense. “The real question is what to do about industry,” McConnell is quoted as saying. He continues, “Ninety-five per cent of this is a private-sector problem.”

• McConnell suggests that the “real problem is the [cyber crime] perpetrator who doesn’t care about stealing [money] —he just wants to destroy.”

• Privacy protections are considered to be in conflict with enhanced security. A contributor to the strategy and long-time collaborator with McConnell says that the government needs the authority to examine the content of any e-mail, file transfer, or Web search.  Citing a maxim among the info-sec community, he concluded that “Privacy and security are a zero-sum game.”

• Aware of the difficulties in obtaining new powers for security measures, McConnell says that “FISA reform will be a walk in the park compared to this….”

A new office opens in October at DHS that will manage civilian use of intelligence community and DoD assets. The National Applications Office is the post-9/11 incarnation of what used to be called the Civil Applications Committee that started in 1974 as the result of the President’s Commission on CIA Activities Within the United States (Rockefeller Commission).

Beginning next month, the National Applications Office (NAO) will serve as the “principal interface” between the intelligence community and the Civil Applications, Homeland Security, and Law Enforcement Domains.  According to Bobby Block at the Wall Street Journal, it was a May 25 memo that empowered DHS through the NAO to gain access to some of the U.S.’s most powerful intelligence-gathering capabilities.  Director of National Intelligence Michael McConnell designated DHS as the executive agent and functional manager of the National Applications Office.  It was this May 25 memo to Secretary Chertoff that assigned responsibility to DHS for:

• Enabling a wide spectrum of civil applications, homeland security, and law enforcement users greater access to the collection, analysis, and production skills and capabilities of the intelligence community;

• Enhancing intelligence and information sharing and dissemination to federal, state, and local government and law enforcement users;

• Educating customers about the capabilities and products of the intelligence community;

• Advocating future collection technology needs of the civil applications, homeland security and law enforcement customers in the intelligence community and Department of Defense forums; and

• Providing a forum for discussion of proper use oversight and management of new uses of classified information on behalf of domains, in addition to already established uses.

Last week, the House Homeland Security Committee convened a hearing about the NAO as noted here. Witnesses from DHS included Charlie Allen, Chief Intelligence Officer; Hugo Teufel, Chief Privacy Officer; and Dan Sutherland, the Civil Rights and Civil Liberties Officer.

A National Applications Executive Committee will be established to provide interagency oversight. A DHS fact sheet issued on 15 August describes how the NAO will work with the “advice and support” of three customer domain working groups:

• Civil Applications Domain Working Group: This working group will continue the efforts of the Civil Application Committee that have been ongoing for more than 30 years, including scientific, geographic and environmental research.

• Homeland Security Domain Working Group: The “Homeland Security Domain” includes those government agencies and activities involved in the prevention and mitigation of, preparation for, response to, and recovery from natural or man-made disasters, including terrorism, and other threats to the homeland. This domain can encompass the many operational and administrative components of DHS, as well as other federal, state, local, and tribal elements who partner with the department. Its work will complement the Civil Applications Working Group in areas like natural disaster response.

• Law Enforcement Domain Working Group: This working group includes federal, state, local, and tribal entities, and those activities which support both the enforcement of criminal and civil laws, and the other operational responsibilities and authorities of these entities.

UPDATE 9/11/07: For video stream and complete statements for the record by those testifying before the House Homeland Committee, click here.

DHS Chief Privacy Officer Hugo Teufel III last Friday announced that the Department has released four Privacy Act records involving DHS’s Automated Targeting System (ATS). These records have been posted to the department’s public Web site and were scheduled to appear Monday in the Federal Register.  The four records are an updated System of Records Notice (SORN), the Discussion of Public Comments Received on the SORN, a Notice of Proposed Rulemaking for Privacy Act Exemptions, and a Privacy Impact Assessment (PIA).  

After receiving hundreds of comments regarding the initial SORN published in November 2006, the department revised it in the following way:

•        ATS-P will retain the information for a far shorter period of time. The retention period is now 15 years (7 years active and 8 years dormant), a significant decrease from the proposed 40-year period.

•        Under ATS-P, the purposes for which Passenger Name Record data (PNR) may be used have been narrowed.

•        The SORN implements the department’s mixed system policy, which administratively extends the protections of the Privacy Act of 1974 to non-U.S. persons by providing access and redress to their PNR data.  

According to Teufel, DHS does not collect information on race, ethnicity, religion, or orientation, or make decisions based on such information, and to the extent such information may be provided by a carrier, the department filters that information.  More information about this announcement is available.

Looks like the U.S. and EU overcame the most recent tussle concerning how the two allies will share private or personal information in pursuit of terrorists (and other criminals, or course).  The press release from this afternoon is available here.  Following are the main points:

• The Department of Homeland Security will collect 19 types of PNR data.
• The data will be maintained for seven years in an active file, and eight years thereafter in a dormant file with limited access.
• How DHS collects PNR data from airline reservation systems changes, too. Air carriers will now transmit PNR data directly to DHS.
• European air carriers get legal assurance that they will not be in violation of EU privacy law.

The Federal Register contained a notice today by the TSA on a new information collection requirement related to a program that has not previously disclosed, based on a quick Google search of its name:

The Rice-Chertoff Initiative (RCI) Department of Homeland Security Traveler Redress Inquiry Program (DHS TRIP) was developed as a voluntary program by DHS to provide a one-stop mechanism for individuals to request redress who believe they have been: (1) Denied or delayed boarding; (2) denied or delayed entry into or departure from the United States at a port of entry; or (3) identified for additional (secondary) screening at our Nation’s transportation hubs, including airports, seaports, train stations and land borders. The DHS TRIP office will be located at, and managed by, TSA. In order for individuals to request redress, they are asked to provide identifying information, as well as details of the travel experience.

The one-year anniversary of the launch of the Rice-Chertoff Initiative is later this month; this program is the result of Chertoff’s promise in that speech to establish a “government-wide traveler screening redress process before the end of this year [2006].”

For more on this issue, see this earlier post.

Today’s edition of the Federal Register provides notice of the interim agreement that was reached in October 2006 between the United States and the European Union on passenger name record (PNR) data, following the European Court of Justice’s decision to strike down the earlier PNR agreement that dated from 2004. There are no surprises in the new notice - its contents had been widely aired last fall - but it’s useful as a complete record of the new agreement.

The DHS Privacy and Data Integrity Advisory Committee has released several interesting documents within the last week, including a report entitled “The Use of Commercial Data” and the transcript of its September advisory committee meeting: Part 1, Part 2. The latter documents transcribe interesting discussion at this meeting on issues related to the Privacy and Civil Liberties Oversight Board, the Office of Screening Coordination at DHS, and progress on establishing an effective traveler redress system.

Back in May of this year, a subcommittee of the DHS Data Privacy and Integrity Advisory Committee released a draft report entitled “The Use of RFID for Human Identification.” That paper prompted a minor controversy within DHS, given the extent to which it questioned the Department’s use of RFID in homeland security programs and applications.

After several months of re-writing, a final version of the paper was approved by the Privacy Committee at its meeting last week. It’s not yet on the DHS website, but the RFID Journal has a copy, which you can download at this link and read about in this article. The article provides a useful discussion of the differences between the first draft and the final draft.

The controversy over the passenger component of the Automated Targeting System has simmered over the past month (see my previous posts here and here) in the media and the blogosphere, with the latest feud centering around whether a provision in the FY 2007 appropriations acts prohibits the risk assessment function of the ATS-P. Privacy and civil liberties groups have argued in the past week that it does. DHS has started to fight back against these charges in the media, as exemplified by Sec. Chertoff’s quotes in this National Journal piece by Shane Harris.

You can read the full provision in question, Sec. 514, on pages 25-26 of the FY 2007 DHS appropriations bill (H.R. 5441) at this link. My take on this question is that ATS-P does not violate Sec. 514, which specifically references the domestic Secure Flight program and “any successor programs.” ATS-P is a program that preceded Secure Flight. And all of the references to GAO requirements in Sec. 514 confirm that this was solely written with Secure Flight in mind.

There is one other important difference between the two programs that is also worth pointing out: the domains in which the two programs are used. ATS-P is for inbound international arrivals. Secure Flight, if it were to become operational, would be for domestic air travel. The security imperatives and the personal rights of individuals are inherently different in these two domains. In the domestic realm (Secure Flight), travelers are presumed to be legally in the United States, and the sole purpose of risk assessment is related to risks associated with the air travel. In the international realm (ATS-P), identity is not assumed but needs to be proven, and the government has a legitimate role in determining the identity and nationality of individuals entering the United States as a legitimate assertion of national sovereignty. At borders and points-of-entry, the government has greater authority to conduct search and inspection activities than at any place inside of the country’s borders. This same inherent authority is what, I think, should give the ATS-P system a greater authority to conduct security-related risk analysis than any domestic risk assessment system.

There are some legitimate concerns that the privacy and civil liberties groups have brought forward in the course of this debate, e.g. questioning the rationale for retaining records for 40 years. But overall, I find myself sticking to my original impression of this issue when I first posted about it in early November, and wondering what all the fuss is about.

The DHS privacy office has finally released its latest annual report to Congress, covering a two-year period from mid-2004 to mid-2006. The delay in the release of this report, which is supposed to be released annually rather than every other year, has been the topic of recent complaints by privacy advocacy groups. This delay is acknowledged in the preface to the report, although it attempts to excuse it based upon leadership turnover issues - a rationale that doesn’t really cut it, given DHS’s decision to leave the privacy office with an acting director for ten months from September 2005 to July 2006.

As for the report itself, there’s very little in the way of new information; it’s essentially a list of activities by the Privacy Office over the last two years, nearly all of which have already been publicly reported.

From yesterday’s Federal Register:

The Data Privacy and Integrity Advisory Committee (“Privacy Advisory Committee”) will be meeting on Wednesday, December 6, 2006, in the Key Biscayne A room of the Eden Roc Hotel, 4525 Collins Avenue, Miami Beach, Florida 33140. The meeting will be held from 8 a.m. to 11:15 a.m. and 12:15 p.m. to 2:30 p.m.

Dang, that’s a nice hotel. There’s a public comment period in the meeting from 2:00 to 2:30pm. You can register in advance as indicated in the notice.

I read the book “Identity Crisis: How Identification Is Overused and Misunderstood” by Jim Harper at the CATO Institute last week, with the objective of improving my understanding of identification issues as they apply to key homeland security challenges.

Many of the most significant controversies in the homeland security policy realm today - REAL ID, a National ID card, aviation security screening, the use of biometrics - pivot upon issues of identification, and the way in which the imperatives for security, privacy, and freedom sometimes clash with one another in these debates. Too often, these issues are demagogued or misinterpreted by people on all sides of these debates, creating the need for clarity on the terms of these debates. This book adds a valuable dose of clarity to this debate, and while I disagree with some of Harper’s conclusions, I think that the implicit framework in the book provides a basis on which future identity- and security-related policy disputes can be mediated.

Harper’s book does an excellent job of laying the groundwork and clearly defining the different types of identification and the roles that they play in everyday societal interactions. He provides interesting historical context on the evolution of identification, and writes in an engaging style that is atypical for a think tank-published tome.

These early chapters of the book set the stage for the discussion of key identity-related policy issues today: the excessive use of Social Security numbers as an identifier, the role of the credit bureau industry, the changing roles of identification cards, the implications of the REAL ID Act, aviation screening issues, and the debate over whether the U.S. should have a national I.D. card., among others.

Harper argues generally that identification-based tools and techniques are a weak source of leverage in the fight against terrorism, suggesting instead a risk management approach focused on a non-person-centric approach to addressing threats and vulnerabilities. This passage from page 212 summarizes his argument:

Good risk management addresses threats and risks without regard to who might cause them, long before any bad actor has been identified. The reduced risk of commandeering since 9/11 illustrates this well. Hardened cockpit doors stop anyone who might enter the flight deck without permission. The resolve of crew and passengers to attack hijackers does not turn on who they are but extends to any and every hijacker. This entire method of attack has largely been cut off.

These techniques to reduce risk do not rely on identification. They meet threat vectors head-on. The same is true o fsecurity against other tools and methods of attack. Magnetometers screen for all weapons. X-ray machines scan for all guns and bombs. Sensors sniff for bomb residues and chemical or biological agents no matter whom or what they are on. Identification of people plays no role in the most direct and substantial methods for managing the risks to passenger air travel.

It’s on this point, as it applies to the key issues discussed in the book, that I have my main disagreement with the book. I don’t see identification vs. physical security as an either/or dichotomy. Instead, I seem them both as valid tools, each with their pro’s and con’s, that should be used in harmony with each other, based on cost, effectiveness, and societal values, as part of a broad systemic approach to securing the homeland. There are some instances where physical-based approaches will suffice on their own. And identification systems are no panacea, as they have sometimes been made out to be. But I think that identification-based tools can be appropriately used to improve protection or create deterrence within certain threat vectors.

Harper also has an interesting discussion in the latter part of the book about the relative merits of homogeneous vs. heterogeneous ID systems: a debate that is relevant to the ongoing discussions over the REAL ID Act and the concept of a National ID card. I’ve argued previously on this blog that a National ID card would be preferable to the heterogeneous 50-state system that we have today, and that the REAL ID Act is an expensive solution, providing some security benefits due to improved credentialing and verification but in a way that doesn’t capture the benefits from scale and integration. Harper argues, by contrast, that integration is inherently dangerous (creating the risk of excessive data aggregration) and that scale creates undue criminal temptations (i.e. makes the card valuable and motivates illicit acquisition). I take his points, but I still see these risks as lesser than the existing risks resulting from the lack of common standards, which allows certain states to maintain weak ID systems.

But overall, this was a very engaging book, and well-worth reading for anyone who works on or cares about these issues. The advocates of increased use of identification for security would be well-advised to read it to understand the perils that certain courses of action can create. And the foes of increased use of identification should read this as well, as a way to understand how to rationally and criticize ID-related programs, instead of making fear-inducing, emotive counter-arguments, as is too often the case. By thinking and operating along the parameters suggested in this book, I believe that we can come to a lot more common ground on these difficult issues.

You can order the book directly from the CATO Institute or here at Amazon.

The United States and the European Union reached a final deal on the Passenger Name Record (PNR) dispute today, a negotiation forced by the European Court of Justice ruling striking down the prior agreement in May. DHS issued a press release this morning that puts a positive spin on the outcome:

I am pleased to announce the European Union (EU) and Department of Homeland Security (DHS) have reached a final agreement regarding Passenger Name Record (PNR) data which will allow us to make full use of passenger data as needed to protect our borders. This agreement provides the information sharing that I called for in August.

Under the agreement, U.S. Customs and Border Protection will have new flexibility to share PNR data with other counter-terrorism agencies within the U.S. government, carrying out the President’s mandate to remove obstacles to counter-terrorism information sharing. The new flexibility will apply to agencies within DHS as well as to the Department of Justice, the FBI, and other agencies with counter-terrorism responsibilities; sharing will be allowed for the investigation, analysis, and prevention of terrorism and related crimes. We are pleased that this U.S.-EU agreement promotes our joint goal of combating terrorism while respecting our joint commitment to fundamental rights and freedoms, notably privacy.

I am also encouraged that the agreement will allow the department to receive PNR data earlier, thus increasing our ability to identify potential terrorists. The department will in time obtain access to PNR outside of the 72 hour mark when there is an indication that early access could assist in responding to a specific threat to flights bound for the United States.

But the EU Politix website discusses another change from the current system that is less favorable to the U.S.:

EU justice commissioner Franco Frattini said that the new system agreed with the US department of homeland security met demands from the European parliament for a rebalancing of the previous agreement.

“We decided together to guarantee a new system for transferring data, which I believe is very good news,” he told journalists.

“In the past we had a ‘pull’ system, which meant the US was allowed to pull data directly from airline databases in the EU.”

“Now have a push system – the US must make a request to the airlines to give them the information.”

“There will be no direct access for US authorities – this was one of the main topics of our discussions in the parliament.”

The ability for CBP to share information with other counterterrorism and homeland security agencies is an important win for DHS. But this last item seems to me to be a critical loss from a counterterrorism perspective. The new system will facilitate watch list checks and name matches, but it sounds like it will be difficult and cumbersome to conduct link analysis and related queries using PNR data - which is what Sec. Chertoff has insistently said was needed following the UK aviation plot. It’s possible that DHS could jury-rig a system that allows it to conduct link analysis among data elements that have been “pushed” to them, but that seems more challenging from a technology perspective and likely less effective.

The signing statement for FY 2007 DHS appropriations was released on the White House website yesterday, and was criticized in this AP story today. The story discusses how the signing statement will ignore a Congressional mandate regarding the issuance of reports by the DHS privacy officer. It should be noted that this isn’t really news - in fact, this exact same provision was included in last year’s signing statement for FY 2006 appropriations. The main difference this year is increased public and media attention to signing statements.

This year’s signing statement also indicates that the Administration will ignore the requirements that the director of FEMA have at least five years experience:

Section 503(c) of the Homeland Security Act of 2002, as amended by section 611 of the Act, provides for the appointment and certain duties of the Administrator of the Federal Emergency Management Agency. Section 503(c)(2) vests in the President authority to appoint the Administrator, by and with the advice and consent of the Senate, but purports to limit the qualifications of the pool of persons from whom the President may select the appointee in a manner that rules out a large portion of those persons best qualified by experience and knowledge to fill the office. The executive branch shall construe section 503(c)(2) in a manner consistent with the Appointments Clause of the Constitution. Also, section 503(c)(4) purports to regulate the provision of advice within the executive branch and to limit supervision of an executive branch official in the provision of advice to the Congress. The executive branch shall construe section 503(c)(4) in a manner consistent with the constitutional authority of the President to require the opinions of heads of departments and to supervise the unitary executive branch. Accordingly, the affected department and agency shall ensure that any reports or recommendations submitted to the Congress are subjected to appropriate executive branch review and approval before submission.

Whoever it was that decided to include this provision in the signing statement must be politically tone-deaf. Thirteen months after Hurricane Katrina and the debacle with Mike Brown, why be such a stickler on this point, even if you think you’re correct on legal terms? It’s doubtful that the current Administration would again nominate someone who was underqualified, and a statement like this accomplishes only one thing: pissing off Congress.

The New York Times has an important story today on the issue of the Passenger Name Record (PNR) and the role that it can play as a data input into the aviation screening system, in the wake of the foiled UK terror plot. The proposals discussed in the story seem to go beyond the currently-planned uses of PNR data, envisioning a broader system of data analysis using the PNR information, perhaps with a direct hook into the major Computerized Reservation Systems (e.g. Sabre, Galileo, Amadeus) that are the core information nodes of the global travel system:

A proposal by Homeland Security Secretary Michael Chertoff would allow the United States government not only to look for known terrorists on watch lists, but also to search broadly through the passenger itinerary data to identify people who may be linked to terrorists, he said in a recent interview.

Similarly, European leaders are considering seeking access to this same database, which contains not only names and addresses of travelers, but often their credit card information, e-mail addresses, telephone numbers and related hotel or car reservations.

….“Ideally, I would like to know, did Mohamed Atta get his ticket paid on the same credit card,” Mr. Chertoff said, citing the lead hijacker of the 2001 plots. “That would be a huge thing. And I really would like to know that in advance, because that would allow us to identify an unknown terrorist.”

Would there be direct security benefits from this type of analysis? Absolutely. Will the privacy loss from this outweigh its benefit? That depends, based upon different individual and national privacy values (and some people would object to the concept of even quantifying this). Are there ways to do this that are less invasive in terms of individual privacy? Definitely, including data anonymization and a system where individual countries and the reservation systems conduct data analysis themselves and share only the ‘hits’ against common watch list and indicators databases, without having to share the full stream of unwashed PNR data.

Update (8/23): More on this issue from Ryan Singel at 27BStroke6.

A research site at America Online posted three months of search records for 500,000 people (over 20 million searches) on the Internet recently. The data was discovered over the weekend and news of it has quickly spread across the blogosphere and into the mainstream media. AOL rapidly removed the data from its site, but the cat’s already out of the bag - the files were copied, and have been replicated all over the Internet.

Anyone can download the 439mb file, just like I did last night. People are already poring through the data, finding some very disturbing search patterns among a number of AOL’s users. In theory, there is no personally-identifiable information on the database, but if people ran searches that identify things about themselves, it often becomes easy to figure out who they are. In many ways, this is a worse privacy loss than the laptop stolen from the Veterans Administration employee earlier this spring, if it had been compromised.

This inadvertent disclosure of data forces the need for a public debate on the retention and use of search data by private companies, and the propriety of its use by government agencies. In January we learned that Google refused a DOJ subpoena to supply the government with exactly this kind of data - a request with which Yahoo!, AOL and MSN complied. These companies are compiling petabytes of search data on their servers, effectively archiving the collective subconscious of hundreds of millions of people.

This information clearly has value from a marketing and business intelligence perspective, which is why the search companies are retaining it. But this data then becomes an overly tempting target for homeland security and counterterrorism officials. Should they able to access it? Under what conditions? By whom? And what is the actual value of the search information? We need to answer these questions, and in doing so develop a clear framework to guide how and when such information should be available to government officials, rather than continuing along in the legal and policy vacuum that the United States is in today.

We need a framework that allows narrow access to this search data in cases where a person or group is under investigation for activities related to terrorism, counterintelligence, and/or WMD proliferation. But I would forbid access to this search data for the purpose of conducting wide-ranging analysis of search data - looking for needles in the haystack - because the benefits would not be nearly commensurate with the massive privacy hit. And the search companies need to be more responsible in their utilization of this data, and develop policies and systems for destroying data after a finite period of time (1-2 years), and give users the ability to clear and remove personally-identifiable search histories from company servers.

This assessment is based in part on some cursory analysis of the AOL data last night. In cases where I found “suspicious” searches, I could never be certain about the actual intent of the search. This inability to divine intent from searches will naturally lead to high percentages of false positives. For example, anyone who works in the homeland security field, as I do, is likely to run searches related to terrorist tactics, infrastructure protection, etc. These searches are all false positives, and likely will drown out any “real” terrorist search activity. Efforts to investigate these searches would therefore be expensive, and less productive than traditional means of intelligence and investigation.

If the federal government is allowed unfettered access to this data, we run the risk of creating a new Orwellism - Searchcrime - that is an inefficient response to the war on terror.

CIO Magazine has an excellent article in its latest issue on the role of data mining in homeland security and counterterrorism, assess its benefits and limitations, considering the types of tasks for which it is useful, and calling for greater rigor in determining when and where it should be utilized. After noting the proliferation of data mining projects in the federal government since 9/11, the article notes:

But some experts are beginning to question whether an IT strategy of unlimited scope, budget and schedule will best serve that end [of protecting the country].

….”No one [in the government] has looked at data mining from an IT value perspective,” says Steve Cooper, former CIO of the Department of Homeland Security. “I couldn’t figure out [the value of data mining] when I was in DHS, and I can’t figure it out now. But that didn’t stop us from using it.”

In other words, according to Cooper, no one has done a business case analysis to determine whether the government is getting a return on its investment. Instead, a rationalization is usually sufficient: If a project has a chance to catch just one terrorist, then it is worth it.

This is a somewhat surprising admission from the former CIO of the Department of Homeland Security, who was in the trenches when a number of relevant programs were being considered.

The story then puts data mining projects into two categories: subject-based systems (i.e. link analysis) and pattern-based systems. It offers examples of useful data mining projects in each category (links among Gitmo prisoners, patterns of activity among cleared DOD personnel to detect counterintelligence), but only in cases where the population that is being analyzed is at a relatively modest scale, i.e. thousands instead of millions. It then takes a long look at TSA’s CAPPS-II and Secure Flight programs as examples of programs that have thus far failed to achieve their objectives because of immodest scope and an unclear business case:

Capps II and Secure Flight had no such ROI mechanisms. But rather than reexamine the goals and scope of the projects, the government simply expanded them to include profiling, a hunt for common criminals and more. And as happens so often with IT projects when their goals are too broadly defined, the system is still not active despite an originally planned go-live date of November 2003.

“TSA was never willing to reevaluate the scope of the project,” says Jim Dempsey, policy director of the Center for Democracy and Technology, who was part of the TSA’s Secure Flight Working Group with Schneier. “So now, five years after 9/11, we still don’t have an automated system for matching passenger names with names on the terror watch list. Civil liberties had nothing to do with that.”

The story concludes with a general plea for greater oversight of government data mining activity, as a way to ensure that programs actually deliver real security dividends:

Most data mining projects are not subjected to a rigorous business case analysis. Two current intelligence CIOs who were otherwise unable to comment for this story agreed that this is an issue that they struggle with. The DoD’s Technology and Privacy Advisory Committee (TAPAC) developed a 10-point system of checks and balances [Ed. note: see page #’s 54-55 of this document] that it recommended every agency head apply to data mining projects, but Cate says that it has never been implemented. Similarly, the National Academy of Sciences recently appointed a committee to develop a methodology that the government can use to evaluate the efficacy of its antiterror data mining projects, but the target date for its report is still more than a year away.

What’s left is the status quo. That’s troubling to people like Cate. “There are some extraordinarily smart people [working on data mining systems], and I would be hard pressed to think that they are wasting their lives on something that doesn’t work,” he says. “But one of the things [TAPAC] kept focusing on was that you have to be able to show that it works within acceptable parameters,” a responsibility that he says rests with agency heads.

Agency heads aren’t accepting that responsibility, says Cate. “As far as the oversight process is concerned, it is clear that [data mining to prevent terrorism] is a disaster.”

These efforts to develop consistent standards, methodologies, and checkpoints for data mining projects are very important, as I’ve suggested in previous posts. Data mining can deliver real value to the war on terror, but it needs to be developed in a much less scattershot manner than has typically been the case over the last five years.

Overall, a very good story, one that usefully clarifies the role and typology of data mining for homeland security and counterterrorism.

DHS released a notice in the Federal Register today (noticed quickly by the New York Times) that announces plans to increase the categories of people who will be required to enroll in the US-VISIT system (i.e. be fingerprinted and have their picture taken) when they enter and exit the United States, to include:

• All legal permanent residents (green card holders) living in the United States;
• Aliens seeking admission on immigrant visas;
• Refugees and asylees;
• Canadians who are in the United States as students, journalists, crew members, temporary workers, intracompany transferees, and athletes (but not Canadians visiting for short-term business or pleasure…they will be covered under pending WHTI regs).

Is the U.S. entry system ready for this additional work burden? This could potentially lead to longer wait times at certain land border crossings and airports if not managed correctly. Also, I would expect there to be some serious privacy-related backlash on this decision, given the fact that lawful permanent residents are considered “US persons” from a legal standpoint, and under law should have the same privacy rights as U.S. citizens.

From an announcement sent out by DHS this afternoon:

I am pleased to announce that I have appointed Hugo Teufel III as Chief Privacy Officer for the Department of Homeland Security. Hugo is an outstanding professional, who I have counted on for steady judgment and sound advice as the department’s Associate General Counsel. Hugo is highly regarded throughout the department and the legal community for his expertise on privacy, employee relations and civil rights issues.

As Chief Privacy Officer, Hugo will be responsible for ensuring privacy compliance and the protection of personal information as the department continues to carry out its vital mission. Hugo brings a wealth of knowledge and experience to this leadership position, having served previously as Associate Solicitor at the Department of the Interior, the Deputy Solicitor General for the state of Colorado, and as an attorney in private practice. Hugo is a graduate of the Washington College of Law at American University, where he was an editor of The Administrative Law Journal, and he is currently pursuing a Master’s degree in National Security and Strategic Studies from the Naval War College.

I look forward to Hugo’s many contributions to the important work of the Privacy Office and his efforts with the Privacy Office staff to continue to grow a culture of privacy protection throughout the department. Hugo has my appreciation for his continued service, and he has my complete confidence and support as Chief Privacy Officer.

Update (7/24): The AP story on the nomination.

Washington Business Journal and FCW report that DHS acting Chief Privacy Officer Maureen Cooney is leaving DHS for the law firm Hunton & Williams. Cooney had been serving in the acting role in the privacy office since the departure of Nuala O’Connor Kelly in September 2005. Perhaps (and hopefully) this will serve as an opportunity for the White House to finally nominate a new Senate-confirmed chief privacy officer.

Shane Harris at the National Journal has the latest in a long string of excellent stories on intelligence issues in this week’s edition, only available right now by subscription, but likely to turn up on the National Journal’s sister publication GovExec in the next few days. (Update: now available here). The story looks at the parallel and converging efforts of John Poindexter’s Total Information Awareness program and Michael Hayden’s related efforts at the NSA in exhaustive detail, telling a complex story of patriotic intent, bureaucratic rivalry, technology challenges, and political pressures.

The story paints a fairly sympathetic picture of Poindexter’s TIA program, highlighting its speed and creativity:

In February 2002, Poindexter established a secure, classified computer network for testing analysis software and tools that might be worked into TIA. As the system came together, this experimental network would be the engineers’ Bonneville Salt Flats, a place to test-drive the state of the art. If tools passed muster there, they might end up in the design Poindexter had in mind.

“If there was a vendor with some great gizmo, they’d have to go through an arduous one- or two-year process to get that accredited by an intelligence agency,” said Robert Popp, who was the No. 2 TIA official and Poindexter’s deputy. “That didn’t fit our parameters. We wanted to kick around these various technologies to see their utility. The network could put it through that whole two-year process in a few months.”

And it describes an early real-life application of TIA:

As months passed, more agencies joined, and some began using TIA for real intelligence operations. For instance, in 2003 the Pentagon’s Criminal Investigation Task Force, which was established to fuse law enforcement and intelligence techniques in fighting terrorism, was interrogating detainees at the U.S. military facility at Guantanamo Bay, Cuba. Stacks of interrogation reports piled up, and the interrogators struggled to make sense of the information they contained. Some detainees frequently mentioned the same names or places. Some detainees claimed to know each other. Others didn’t. The interrogators turned to the TIA network to help sort out the hundreds of reports and potential leads.

“They provided the interrogation reports to analysts, and [the analysts], using several link-analysis tools provided by TIA, tried to discover interesting nonobvious relationships,” Popp said. Link analysis detects connections between people through common associates or backgrounds, and creates web-like diagrams of the connections. “The link-analysis tools showed the interrogators things that were not apparent to them — very valuable, useful information that they could then use in follow-up interrogations.” Popp said that the investigators also knew after they concluded their interrogations that some detainees were not terrorists, so those reports were used to create a sort of baseline for what a nonterrorist looked like. The tools could then be calibrated to disregard certain attributes and search for others that were salient, Popp said.

This is the appropriate and effective way to use social network analysis: as a tool for deciphering links among hundreds (or thousands) of people, not hundreds of millions.

But in mid-2003, TIA was derailed due to public scrutiny and a Congressional block on funding, and elements of it migrated over to the classified domain. (TIA had been unclassified by design, as a way to involve a wide spectrum of smart people and drive innovation). But some parts of TIA didn’t migrate:

But it discontinued some programs, most notably a multimillion-dollar effort to build privacy-protection technologies. ARDA also abandoned the effort to build audit trails in TIA, which would have permanently recorded any abuse by users.

As I’ve said before, it was a big mistake to shut down TIA; its shift to the classified domain has eliminated privacy protections, made oversight more difficult, and probably slowed down the pace of innovation.

Harris then uncovers the new name for the TIA network:

The experimental network’s name was changed from TIA, to erase any connection to its past. Today it’s called the Research Development and Experimental Collaboration (RDEC, pronounced ARdeck). The NSA is the biggest player, with at least 15 nodes as of December 2004, according to official documents. “I think it’s considerably more today,” said a former government official knowledgeable about RDEC. A spokesman for the NSA said he had no information to provide about the network.

….The Defense Intelligence Agency, which like the NSA is overseen by the Pentagon, is one of the largest RDEC users. In an interview, Lewis Shepherd, the chief of the agency’s Requirements and Research Group, said that RDEC is “the most successful attempt at bringing together a wide variety of analysts and agencies to work and think outside of the box collaboratively,” specifically on counter-terrorism. “[It] opens access to a variety of data sources to different tools that haven’t been able to access that data.” For example, RDEC lets analysts conduct repeated keyword searches on many different data streams, Shepherd said. It “sparks out-of-the-box innovation in how we do information-sharing.”

It’s difficult to assess RDEC beyond what’s discussed in the story; if it is an effective intelligence tool, and if it’s consistent with U.S. law, then it has a legitimate purpose and necessary role in the war on terror. But the apparent lack of accompanying privacy protections and audit trails concerns me; the NSA should take steps to add these features to the network, assuming that they don’t currently exist.

There are many other interesting details in the paper - as mentioned earlier, I’ll post an updated link to the full text if and when it appears online.

(Hat tip: Noah).

Shaun Waterman at UPI writes today on a provision in Sec. 310 of the Senate’s version of the FY 2007 intelligence authorization bill (S. 3237) that would establish a new exemption to the Privacy Act on a three-year test basis that would allow intelligence agencies to share information related to counterterror or counterproliferation investigations that is not personally identifiable.
The same provision was included in the Senate’s version of the authorization bill last year, which was never passed into law. That conference report explains the background and rationale for the provision - scroll down to Sec. 307 - and the language is nearly identical this year.

The proposal draws a predictable response from the ACLU in the UPI story:

“If this is enacted, the Privacy Act will look like Swiss cheese,” American Civil Liberties Union (ACLU) legislative counsel Tim Sparapani said.

Mr. Sparapani said he was not reassured by the role that the law envisages for the president’s Privacy and Civil Liberties Oversight Board, which would monitor the program and report to Congress as the three-year sunset approached.

“The board is stacked four [Republicans] to one [Democrat],” he said.

“It is not truly independent” because it is inside the president’s own office, which puts it “under the thumb of the president and his advisers.”

But it receives an unfazed response from an anonymous Democratic staffer:

A Democratic committee staffer defended the proposal, saying the exemptions were “narrowly drawn to address the kinds of problems we found during our September 11 inquiry” when U.S. agencies failed to pool information about known al Qaeda militants, who were, thus, able to slip into the country.

I agree with this latter response. Inadequate information-sharing among federal agencies prevented the possible disruption of the 9/11 plot, and numerous analyses - most notably those of the Markle Task Force and the 9/11 Commission - have highlighted the need for better information-sharing among key counterterrorism agencies. This legislative proposal seems consistent with their sensible recommendations.

I’m not sure that this exemption will make much of a difference in terms of counterterror effectiveness, given the fact that the primary inhibitors of information-sharing among intelligence agencies today are cultural factors, not legal restrictions. But I don’t see any harm in having a pilot project to test the proposition.

The European Court of Justice struck down the 2004 agreement between the European Commission and US Customs and Border Protection (CBP) on the sharing of aviation passenger name records (PNRs) for people traveling to the United States, following a lawsuit by the European Parliament. The court’s full decision is available here, and it is summarized in this press release from the court. The court’s key finding:

The Court found that Article 95 EC, read in conjunction with Article 25 of the directive, cannot justify Community competence to conclude the Agreement with the United States that is at issue. This agreement relates to the same transfer of data as the decision on adequacy and therefore to data processing operations which are excluded from the scope of the directive.

…and on that basis, it reached the following decision:

1. Annuls Council Decision 2004/496/EC of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection and Commission Decision 2004/535/EC of 14 May 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States Bureau of Customs and Border Protection;

2. Preserves the effect of Decision 2004/535 until 30 September 2006, but not beyond the date upon which that Agreement comes to an end.

The ruling is summarized in this BBC story. Commentary on the ruling can be found at the EU Law Blog, the Practical Nomad, and this triumphalist press release from the ACLU, which argues that “decision strikes another blow at the administration’s over-reaching passenger screening proposals.” But the website Statewatch disagrees with this interpretation of the ruling, arguing:

The treaty conclusion and Commission decision have clearly been annulled because (following the opinion of the Advocate-General, see below) their subject-matter fell outside the scope of the data protection directive, as they concerned essentially the processing of data by law enforcement authorities. The other pleas by the EP [European Parliament], in particular the privacy plea, are therefore not considered at all (the Advocate-General had considered them for the sake of argument, but rejected them). The EP has therefore won a “pyrrhic” victory, as the agreement will now be replaced either by national agreements, or by a third pillar agreement with the US. Either way the EP has no power over approval of the treaty/treaties or even the power to bring legal proceedings against them. The press may describe this as a victory for the EP or for privacy but they will be mistaken.

I agree with this interpretation. This decision is above all a judgment on the EU’s byzantine character, and only secondarily about the issues at stake. The result is that all parties are going to have to work hard to develop a new agreement or set of agreements in the next few months. This advance notification is a critical layer of our travel security system, so it’s essential that the US and EU find ways to work this out, in a way that provides consistent and enforceable privacy protection but eschews fearmongering and hyperlegalism. And I think at some point the US and EU need to think about developing a common set of agreed principles for privacy and security issues, to move away from the painstaking case-by-case basis on which these issues are negotiated today.

The DHS privacy office held a workshop on April 5, 2006 on the topic of “Transparency and Accountability: The Use of Personal Information within the Government.” The transcripts and materials from that workshop are now available online at the following link, including these panelist presentations:

• Layering Notices: Communications and Accountability (PDF, 17 pages, 6 MB) Marty Abrams, Center for Information Policy Leadership
• Designing Easy-to-Understand Consumer Financial Privacy Notices (PDF, 26 pages, 698 KB) Loretta Garrison, Federal Trade Commission and Amy Friend, Office of the Comptroller of the Currency
• IFAI: Access to Information and Accountability (PDF, 13 pages, 662 KB) María Marván Laborde, Federal Institute of Access to Public Information
• Personal Data Protection in Mexico (PDF, 17 pages, 740 KB) Lina Ornelas, Federal Institute of Access to Public Information, Mexico

The Emerging Applications and Technology subcommittee of the DHS Data Privacy and Integrity Advisory Committee has released a draft report on RFID technology this week, the contents of which are summarized in stories from Government Computer News and IT News. The executive summary of the report:

Automatic identification technologies like RFID have valuable uses, especially in connection with tracking things for purposes such as inventory management. RFID is particularly useful where it can be embedded within an object, such as a shipping container.

There appear to be specific, narrowly defined situations in which RFID is appropriate for human identification. Miners or firefighters might be appropriately identified using RFID because speed of identification is at a premium in dangerous situations and the need to verify the connection between a card and bearer is low.

But for other applications related to human beings, RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity. Instead, it increases risks to personal privacy and security, with no commensurate benefit for performance or national security. Most difficult and troubling is the situation in which RFID is ostensibly used for tracking objects (medicine containers, for example), but can be in fact used for monitoring human behavior. These types of uses are still being explored and remain difficult to predict.

For these reasons, we recommend that RFID be disfavored for identifying and tracking human beings. When DHS does choose to use RFID to identify and track individuals, we recommend the implementation of the specific security and privacy safeguards described herein.

This report is likely to irk DHS, given that it uses or is planning to use RFID in a number of identity-related programs and applications, but hopefully it will stimulate a constructive debate about the appropriate use of RFID technology. And this report lays to rest any doubts or concerns about the independence of this advisory committee.

CNet News published an interview today with new TSA privacy head Peter Pietra that provides a good overview of the current privacy-related agenda facing TSA, including issues such as managing watch list redress issues and the Secure Flight program. It sounds like he has a solid handle on what will be a challenging agenda, but one that it’s important for TSA to work through in order to deliver the potential security benefits of aviation pre-screening.