FC: Replies to "What's so bad about Total Information Awareness?"

From: Declan McCullagh (declanat_private)
Date: Thu Dec 12 2002 - 20:07:22 PST

  • Next message: Declan McCullagh: "FC: More on data mining, TIA, and how to ID terrorists"

    Other Politech messages:
    http://www.politechbot.com/cgi-bin/politech.cgi?name=poindexter
    
    ---
    
    To: declanat_private
    Subject: Re: FC: What's so bad about Total Information Awareness? by Ben Brunk
    From: "Thomas A Giovanetti" <tomgat_private>
    Message-ID: <OF2821FA80.E4B93BD6-ON86256C8B.001EE99E@org>
    Date: Mon, 9 Dec 2002 23:48:35 -0600
    
    If Ben is so bright a researcher, he should know better than to make such a 
    glaring error in the first sentence of his post.
    
    TIA is NOT authorized in the Homeland bill. It was authorized as a DOD 
    (Dept. of Defense) appropriation.
    
    In fact, the Homeland bill contains an explicit provision to ban anything 
    like the TIA from ever being implemented.
    
    And that's good.
    
    Now we need to get TIA cancelled from the DOD budget.
    _______
    Tom Giovanetti
    President
    Institute for Policy Innovation (IPI)
    http://www.ipi.org
    
    ---
    
    Date: Tue, 10 Dec 2002 16:53:01 +1100
    From: Nathan Cochrane <ncochraneat_private>
    Reply-To: ncochraneat_private
    Organization: The Age newspaper
    To: declanat_private
    Subject: Re: FC: What's so bad about Total Information Awareness? by Ben Brunk
    
    Hi Declan
    
    Much of what Ben writes has merit. To paraphrase:
    
    1. Private companies use different, often incompatible technologies.
    
    2. There are usually several instances of the same person in different 
    databases held in the same company.
    
    3. There is no easy way to capture an individual's virtual identity across 
    multiple databases short of mandating use of a national ID card and number 
    at every transaction.
    
    4. Lives could be ruined by poor use of information.
    
    The drive by groups such as OASIS, Microsoft, IBM and Sun to deliver 
    eXtensible Markup Language (XML)-- a single rail gauge for online 
    information sharing -- makes linking systems easier. Although it will be 
    several years before this really takes hold because taxonomies still have 
    to be ratified, software coded, systems migrated etc. But already law 
    enforcement is looking at this area closely as a way to easily find the 
    people and legal documents it is looking for.
    
    Legal XML lawful intercept technical committee announcement
    http://lists.oasis-open.org/archives/tc-announce/200211/msg00007.html
    "If emergency or exigent conditions exist ... judicial issuance of an 
    authorizing instrument (warrant) can usually be altered by the LEA (law 
    enforcement agency) using another instrument coupled with a posteriori
    judicial or administrative action."
    
    MORE:
    Legally speaking, it's a brief transition
    http://www.theage.com.au/articles/2002/12/09/1039379779706.html
    
    Just because an investigator can't be 100 per cent certain a particular 
    identity is the one s/he is looking for, doesn't mean they can't be more or 
    less sure, at least so far as to continue an investigation. This raises a 
    bigger question, how much information will be winnowed out, and what 
    processes will exist to maintain privacy during this phase? By their very 
    existence, these sorts of fishing expeditions are harmful to a free society.
    
    Governments around the world already have national id card and number 
    systems. In Australia it is the tax file number for individuals and BAS 
    number for business. You can't transact without using these numbers, all of 
    which is fed into government systems accessible by LEA here and in the US. 
    In the US there is a drive to do the same thing with drivers' licenses. A 
    single unique key is not necessary when you have a range of keys that can, 
    in unison, provide a high level of confidence.
    
    DARPA is moving ahead with its plans to fund TIA. A few hours ago I spoke 
    with a member of the executive management team of supercomputer maker Cray 
    Inc. Cray is one of five companies each receiving $US3 million to fund a 
    feasibility study into developing a petaflop computer. Big applications for 
    this sort of computer are to track in real time the movements of people, 
    understand how biochemical agents spread in populations dutring 
    bioterrorism attacks, break complex crypto and trawl through signal streams 
    using semantic forests to find patterns.
    
    Semantic forests article by Suelette Drefus
    http://www.underground-book.com/articles/CyberWireDispatch-1999-11-30-Semantic-Forests.php3
    
    And just because a failed implementation would destroy an innocent's life 
    is no reason for a government not to do it. The authorities would see that 
    an arrested, imprisoned or executed innocent is a small price to pay for 
    continued national security and the lives of millions, or the interests of 
    a select few.
    
    ---
    
    Date: Tue, 10 Dec 2002 10:42:28 -0800 (PST)
    From: Ben Polen <benpolenat_private>
    Subject: Re: FC: What's so bad about Total Information Awareness? by Ben Brunk
    To: declanat_private
    
    Declan,
    
    Reading Ben's post reminded me of Terry Gilliam's movie
    "Brazil." In the noir sci-fi flick, the government is
    basically running its own version of TIA and a bug in the
    systems (literally, a fly interferes with the operation of
    a typewriter) leads to the arrest and prosecution of the
    wrong man. Its quite an amazing movie overall, but the dire
    warnings about a surveillance society (and a powerful state
    supporting it) are even more important now, in our USA
    Patriot/TIA/Homeland Security world. The director's cut of
    "Brazil" is worth another viewing for all Politechnicals.
    Seriously, don't even bother with the edited version.
    
    -Ben
    
    PS feel free to post this if you do a follow up to Brunk's
    
    ---
    
    Date: Mon, 09 Dec 2002 21:29:50 -0800
    To: declanat_private, politechat_private
    From: Lizard <lizardat_private>
    Subject: Re: FC: What's so bad about Total Information Awareness? by
       Ben Brunk
    
    At 08:57 PM 12/9/2002, Declan McCullagh wrote:
    
    >---
    >
    >Date: Mon, 09 Dec 2002 22:34:13 -0500
    >From: Ben Brunk <brunkbat_private>
    >To: declanat_private
    >Subject: Debunking TIA
    >
    >Declan,
    >
    >
    >
    >Many of these sources of information are private databases owned and 
    >maintained by the corporations that rely on them.  Even if they were all 
    >implemented in say, Oracle, it would be difficult to match up records to 
    >any reliable degree.  Who knows if the John Poindexter in one database is 
    >the same as Jon Pointdexter in another?
    
    
    Bingo.
    
    Ever see 'Brazil'?
    
    Tuttle, Buttle, what's the difference?
    
    The thing is, no one is going to do a rational analysis and say "This can't 
    work." If they do, they'll be ignored. Government isn't about doing things 
    that work. Government is about looking like you're doing something. Simply 
    honestly saying "There is nothing you can do to stop a determined madman 
    from killing innocent people. Period. That's the price you pay for freedom. 
    When people say that the tree of liberty must be watered in blood, they 
    don't just mean the blood of those who volunteered for the job. A free 
    society is one in which there is danger. Deal with it, or move to North 
    Korea." will not get you re-elected. Promising false safety, out-and-out 
    lying, will get you re-elected, by a wide margin.
    
    Nothing can stop the 'Homeland Security' juggernaut, because of the nature 
    of politics. We'll just have to wait for the next revolution.
    
    ---
    
    Date: Tue, 10 Dec 2002 00:10:05 -0800 (PST)
    From: Marc Hedlund
    To: Declan McCullagh <declanat_private>
    Subject: Re: FC: What's so bad about Total Information Awareness? by Ben
      Brunk
    
    Declan,
    
    The criticism I would make of Total Information Awareness (TIA) and
    the Department of Homeland Security (DHS) in general is that they are
    agressively centralized solutions to an agressively decentralized
    problem.  I would feel better about our government's efforts to fight
    terrorism if I heard much more discussion of decentralized solutions,
    and an economic and organizational plan that blended centralized and
    decentralized approaches to the problems of terrorism.
    
    The vast majority of discussion around government response to 9/11 has
    framed the question as, "How can we change the Federal government to
    prevent terrorist attacks?"  The DHS is a Federal entity composed of
    existing Federal entities.  Its efforts, and likewise the Pentagon's
    TIA proposal, have (in public discussion at least) been described as
    aiming to ensure information is shared between sources, analyzed at a
    single desk, and acted upon by a central enforcement agency.  In other
    words, these efforts aim to centralize information about potential
    terrorist acts.
    
    Certainly these are approaches worth using.  The INS sending Mohammed
    Atta a letter to his Florida address months after 9/11 can only
    provoke a wish for a better head on the shoulders of our national
    bureaucracy.  But do we really believe that terrorists -- who
    presumably have heard about the DHS -- will act in the future in any
    way that would trigger DHS or TIA attention?
    
    We know these terrorists are determined and willing to spend enormous
    time and resources preparing a plan.  Terrorist groups, we're told,
    plant "sleeper cells" in our country years before an intended attack,
    and these cells work strenuously to avoid detection or contact with
    other cells.  Assume that we go ahead with a TIA-type program, or even
    just the DHS as planned, and that we are now able to monitor and
    correlate border entries, large cash transfers, anomalous airline
    ticket purchases, and whatever other data might alert a central
    authority of terror plans.  Does this really prevent terrorism?  Do we
    believe that no terrorist could ever enter the country without
    creating a record, bring gold or drugs or something else to convert to
    cash on the black market, buy a round-trip ticket rather than a
    one-way ticket, and so forth?  It seems obvious that even if
    centralized data collection, analysis, and response help the problem,
    they certainly do not solve the problem.  A determined attacker -- as
    the 9/11 attackers certainly were -- will do what it takes to avoid
    TIA triggers.
    
    Furthermore, is it really the best thing for the country for the FBI,
    the CIA, and now the DHS to focus so intently on preventing terrorism
    from Washington?  I was taken aback to read in the November 21st New
    York Times that
    
       ...the [FBI]'s commitment to nonterrorism cases that were once
       staples of the bureau dropped significantly in the months after the
       Sept. 11 attacks. The number of agents working narcotics cases
       dropped 45 percent, bank fraud cases dropped 31 percent and bank
       robbery investigations dropped 25 percent, according to the Justice
       Department figures, even though the number of reported crimes in
       some cases went up.
    
    I can only wonder what has happened to the CIA in parallel.  The FBI
    existed for good reason prior to 9/11 -- fought serious and difficult
    crimes prior to 9/11 -- and yet it is now being criticized roundly for
    not dropping its earlier priorities more quickly and completely.
    (Senator Charles Grassley of Iowa was quoted in the same article as
    saying, "Old habits die hard at the FBI.")  We are debilitating the
    prevention of crimes that not only still occur, but are increasing.
    Who will take up fighting these crimes if not the FBI?  Probably state
    and local law enforcement.
    
    Let's look at that for a moment.  Prior to the Millenium celebrations,
    a truck filled with bomb-making equipment was stopped at a ferry
    crossing in Port Angeles, Washington, and this probably prevented a
    serious attack.  While the person who stopped the truck was a Federal
    employee (a Customs Inspector), the reason for the stop was not a
    centralized database nor an alert from a centralized agency.  Instead,
    the driver was stopped because he seemed suspicious.  An individual
    acted on a hunch, investigated, and stopped an attack.  We should
    learn from this, and we're not.
    
    Rather than centralizing, another approach to fighting terrorism would
    be to concentrate resources on training local law enforcement officers
    how to better spot and combat terrorism; that is, how to be more like
    the Port Angeles Customs Inspector.  Rather than sucking all possible
    data sources into the Pentagon or the DHS, we could distribute
    knowledge to the local -- far more numerous -- law enforcement
    resouces who are far more likely to be able to prevent terrorism.  How
    do you interview someone seeking admission to the country, or to a
    sports arena?  What are the signs of lying that may be visible in
    facial expressions or demeanor?  What set of purchases might signal an
    attempt to build a bomb?  What are the little details a
    carefully-trained eye might be able to piece into detection of a
    terrorist?  This is what I mean by a decentralized approach.  Move the
    effort to the more massive, more distributed, more intuitive body of
    law enforcement coming into daily contact with the same terrorist
    cells trying so hard to look normal.  If sleeper cells lie dormant for
    years, local police will very likely encounter at least one member of
    the cell in that time.  Don't we want those police officers to know
    what questions to ask that might detect the cell?
    
    We could be taking this approach, but we're not.  We could be
    improving the ability of local law enforcement to detect terrorism --
    but instead we're degrading that ability, since we're shifting the
    FBI's traditional crime-fighting work onto local resources.  The one
    method that has actually prevented a terrorist attack on US soil is
    not being used, and is instead being inhibited.  We are focusing on
    centralizing intelligence and resources when instead -- or at least in
    addition -- we should be decomposing, distributing, decentralizing.
    
    I'm not suggesting, obviously, that the Federal government has no
    role, nor a minimal role.  Watch lists and signals intelligence and
    data warehousing almost certainly are key tools for fighting
    terrorism.  But before we go too far in creating (or trying to create)
    a grand unified database of all electronic transactions, maybe we
    should think first about whether this is a problem best solved by
    brute force data analysis, or a smart cop on the street.
    
    Marc Hedlund
    e: marc at precipice dot org
    
    ---
    
    From: "Carrick Mundell" <carrickat_private>
    To: <declanat_private>
    Subject: RE: What's so bad about Total Information Awareness? by Ben Brunk
    Date: Tue, 10 Dec 2002 08:45:10 -0800
    
    Declan,
    
    Ben Brunk really spells it out.  If the probability of finding a terrorist
    using TIA is practically nil, then the system must be going to be used for
    other purposes, namely, domestic spying.  By increasing the size of the
    target (e.g. libertarians, liberals, privacy hawks, greens, pro choicers,
    Democratic Party donors, persons-we-hate, and, oh yeah, terrorists) maybe
    TIA will prove more useful.  What's so bad about Total Information
    Awareness?  Everything.
    
    -Carrick Mundell
    
    ---
    
    Subject: RE: What's so bad about Total Information Awareness? by Ben Brunk
    Date: Tue, 10 Dec 2002 08:59:19 -0800
    From: "Ron Schweiger" <Schweigat_private>
    To: <declanat_private>
    Content-Transfer-Encoding: 8bit
    
    Benjamin is missing one little point that TIA will be widely successful
    at which is monitoring ordinary American's. With a 5% error rate they
    will know exactly what 95% of every American is doing at any given time!
    
    Ron
    
    ---
    
    Date: Tue, 10 Dec 2002 19:09:45 -0800 (PST)
    From: Sascha Goldsmith <saishat_private>
    Subject: Re: FC: What's so bad about Total Information Awareness? by Ben Brunk
    To: "Christopher A. Petro" <petroat_private>,
        Declan McCullagh <declanat_private>
    
    "I am SHOCKED, shocked to find gambling in this establishment"
    
    "Sir, your winings..."
    
        - Casablanca
    
    CP!!!
    
    I thought you were the leading "privacy/individual rights/get 'yer 
    publicly-funded mitts off my data" individual I knew!!!
    
    That having been said, I agree with a lot of what you had said, with a few 
    caveats.  (God, this sounds a lot like our discussions at work, n'est-ce pas?)
    
    First, I think you are right.  There is plenty of low-hanging fruit.  (I 
    cannot help but wonder if your current vocation makes you more entreated to 
    security collection than your last, but that is only a supposition).  The 
    point is:  you are right.
    
    However, as a drug-loving, freedom-loving, felony-avoiding indvidual, I 
    cringe.  We have no privacy.  Live it, but don't love it.  And for God's 
    sake, don't encourage it.  This leads me to my caveat.
    
    I fully and toally, without reservation, back the establishment of a 
    British-like MI5 organization in this country.  They have statutory 
    limitations.  They have a charter, a mission.  And they do it well.  It 
    took dozens or IRA bombings to lead to its inception, but the institution 
    has adapted and learned and works.  We can leverage their decades of 
    experience, and coupled with our simlilar traditions, the experiment should 
    work.
    
    Here is why:  call me a nut, call me a cashew.  But I fully believe that 
    the FBI has been, is, and will always been unsuited for intelligence.  The 
    duties of prosecution and espionage have significantly difference 
    attributes.  Let's not dilute the FBI so it does both poorly.
    
    With a newly funded department, focused on a singular mission, their powers 
    to use the data (i.e. pool it with the DEA, IRS, FBI, etc.) will be limited 
    by statue.  However, their ability to pool information on terrorists (how 
    that is decided is a tricky issue, but at least you have a separation) 
    should be FULLY exercised in the manner your email eloquently 
    describes.  Pool databases, tap into corporate records, share information 
    with the DEA, IRS, FBI, CIA, NSA, DIA and any other TLA they need to.
    
    All I want, as a libertarian, is a "separation of powers".  In the most 
    gracious nod to the founders I can muster, let's separate in a statutory, 
    congressional and judicial way, the powers afforded to the aforementioned 
    entities and the newly created US-MI5.  (Hell, if we could get James Bond, 
    I would sleep BETTER at night!)
    
    So, in general, I agree with you.  But with the abject failure of 
    aforementioned institutions to respect their jursidictions and to hoard 
    information from other agencies, not to mention the abject failure to stop 
    9/11, let's start from scratch.  Let's protect ourselves with an agency 
    that is ONLY dedicated to that purpose.  I'm not talking about Homeland 
    Security.  I'm talking about the tech of the NSA, the guile of the CIA, the 
    resources of the DIA, and a whole lot more nefarious to boot.  (Let THEM 
    fear the Hellfire missiles from the Predators or the idea of being tapped, 
    not me).
    
    Getting off my soapbox,
    
    Saish
    
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    -------------------------------------------------------------------------
    Like Politech? Make a donation here: http://www.politechbot.com/donate/
    Recent CNET News.com articles: http://news.search.com/search?q=declan
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 20:59:15 PST