Report: IT blueprints should address privacy issues

New IT tools such as data mining ought to be used for homeland security only if their intrusiveness on privacy and infringement of due process rights can be adequately addressed in advance, according to a new report from a task force sponsored by the New America Foundation, a Washington-based think tank.

The task force of academics examined technologies that included data mining, link analysis, data integration and biometrics, and recommended that they be deployed in efforts to counteract terrorism "if and only if" privacy protections are in place. It also suggested principles to follow to ensure the protections.

"Even more important than its specific recommendations, this paper is an exhortation to technology developers: Consider privacy at the start of any system development," wrote task force member Paul Rosenzweig, senior legal research fellow at the Heritage Foundation. "Privacy protection methods and code (such as immutable audits, or selective revelation techniques) need to be built into new systems from the beginning, both as a matter of good policy and as a matter of good politics."

One of the principles suggested by Rosenzweig and the Task Force on Protecting the Homeland and Preserving Freedom is that new technologies in cyberspace should comply with existing legal and policy limitations in physical space. For example, if an individual normally has an opportunity to object to a transfer of personal data to a third party, that opportunity should be written within software design for new systems.

To minimize intrusiveness, IT systems for homeland security would be best applied if they are voluntary and used for limited purposes, such as verifying identity or initiating a lead for a law-enforcement investigation. Data mining on its own should not be the source of information used to identify an individual for specific consequences, such as an arrest or preventing a passenger from boarding a plane, Rosenzweig wrote.

"Knowledge discovery technology is best understood as enhancing the efficiency of the information-gathering process. But it should not be seen as an end in itself; just as in the physical world, the enhanced scrutiny must produce tangible results before adverse consequences beyond the fact of scrutiny should be allowed to be imposed," the task force report states.

To reduce the possibility of abuse, the task force recommends distributed architectures rather than a centralized system for collecting data. "The impulse to centralization should be resisted where possible," the report states.

The task force also advises use of technologies that foster anonymity while allowing individuals to be uniquely identified without rendering their specific identities. One way to enhance privacy is "one-way hashing" that allow lists of individuals to be compared without disclosing the identities of the people on the list.

"[The] Disney [Co.]can compare its list of visitors with the Terrorist Screening Center's watch list and neither need disclose the contents of the lists. If, and only if, a match occurs, would Disney be obliged to disclose the identity," the report reads.

New IT technologies should have strong oversight mechanisms built in, being either tamperproof or tamper evident, with automatic audit functions logging all activity for later review, the task force suggested. Also, new technologies should require authorization and review by a public official before deployment to ensure accountability.

Redress mechanisms for false positive identifications must be robust, the task force added. "People's gravest fear is being misidentified by an automated system. The prospect of not being allowed to fly or of being subject to covert surveillance based on electronic records scares them," Rosenzweig wrote. The task force said a formal redress process was needed ? one with administrative and judicial mechanisms ? to resolve such concerns.

The task force is one of nine anti-terrorism working groups convened by the New America Foundation, which are meeting in Washington this week at a conference titled "Terrorism, Security & America's Purpose." Supporters for the event include the New America Foundation, the Rockefeller Brothers Fund, the Hauser Foundation and the New York Community Trust.