IE 11 is not supported. For an optimal experience visit our site on another browser.

Are private firms helping Big Brother too much?

Well-meaning firms may think they are helping fight the war on terror, but the ACLU says this needle-in-a-haystack approach just puts civil liberties in great peril with very little anti-terrorism payoff.

In May 2002, the Professional Association of Diving Instructors voluntarily provided the FBI with a disk containing the names, addresses and other personal information of about 2 million people, nearly every U.S. citizen who had learned to scuba dive in the previous three years. That’s just one of the myriad ways federal law enforcement agencies are quietly recruiting private industry and private citizens as de facto agents in the war on terror, according to a report recently issued by the ACLU called The Surveillance-Industrial Complex. The study paints a picture of an unofficial government policy to enlist companies and citizens in the building of massive databases aimed at monitoring people in the United States.

Well-meaning firms may think they are helping fight terrorism, but the ACLU is warning that this needle-in-a-data-haystack approach puts civil liberties in great peril with very little anti-terrorism payoff.

"Things that sounded like paranoid fantasies and science fiction last month, the next month is reality," said Jay Stanley, who authored the report for the ACLU.  "The biggest surprise is the aggressiveness with which the government is pursuing the concept of data mining. It really does make real the scenarios that privacy advocates have been worried about for decades. We are in the process of making every American a suspect."

Many consumers might not think when they sign up for something as innocuous as scuba lessons that their personal data may ultimately end up in the hands of federal investigators — particularly if the company involved promises in its privacy policy to keep the data private.    But that's exactly what happened in 2002 when JetBlue Airlines gave some 5 million passenger records to a database firm named Acxiom, which was preparing an anti-terrorism product for the government.

Disclosure of that release was followed by admissions from other airlines, leading to public outcry over the voluntary release of data by private firms to the government. But many other such public-private partnerships exist, the ACLU says.  ChoicePoint Inc., known as the data provider for criminal background checks, now has a software product called Homeland Tracker, designed to help companies check individuals against government terrorist watch lists.

"For a lot of these companies, the business model surrounds the sale of information to the government," said Chris Hoofnagle of the Electronic Privacy Information Center. He recently wrote a law review article called "Big Brother's Little Helper," which explores much the same theme as the ACLU's report. The databases being compiled by companies like ChoicePoint, and sold to the government — no court order required —  offer "one-stop mind-boggling power," his article says.

Commercial data brokers like ChoicePoint regularly sell their information to investigators, Hoofnagle says.  For example, documents obtained through a Freedom of Information Act request by Hoofnagle show that the U.S. Marshal's Service ran 20,000 searches per month using such a service. 

Connecting the dots
Don't jump to conclusions about government data mining efforts, says Howard Schmidt, who once ran cybersecurity efforts for the Bush White House.  It's often difficult to see from the outside just why law enforcement might make a particular request for information.

"We talked a lot around 9/11 about connecting the dots.  When you talk about connecting the dots, some of them appear to be obvious, but you're always looking for that one piece of information that's going to make the case, but you don't know where that piece will come from,"  he said. 

For its part, the Professional Association of Diving Instructors admits it gave the FBI access to its records without requiring a court order.  Jeff Nadler, vice president of industry relations for the trade organizations, still believes it was the right thing to do.

"They were going to individual facilities and asking for records. At one store, they left and came back with a subpoena," he said. So it was inevitable that agents would have been able to obtain the records anyway, he said.  The organization only found out later, through published reports, that an al-Qaeda training manual had suggested agents might try to engineer underwater explosions, and discovery of the manual prompted the data request. "We would make the same decision today," he said.

The FBI didn't return requests for comment about the incident; it's unknown if search of the data led to any arrests. The data has not yet been returned, Nadler said.

Hoofnagle thinks that publicity surrounding the more infamous data sharing efforts might actually have the opposite effect on some companies, making them even more reticent to play ball with law enforcement officials.  Some Internet service providers, for example, regularly destroy their old data rather than keep it, and then respond to government requests for information by saying it's impossible to comply.

But any efforts to impair the government's ability to make such requests could severely hamper timely investigations, argued a former federal law enforcement official who asked not to be identified.

"Maybe you'll have more privacy, but you certainly limit law enforcement's ability," he said.  "You can think of circumstances where law enforcement might make unusual requests to get information." He gave the example of an FBI agent reading an e-mail on a seized computer that mentioned a terrorist suspect owned 1989 Honda Accord.  "Then they would go to the DMV and get records on all 1989 Accords."

Balancing privacy and safety
People on both sides of the discussion -- privacy advocates and law enforcement officials -- often talk about the difficulty in balancing the opposing goals of privacy and safety.  But critics say such data mining rarely pays off, and comes at a great expense to personal liberty.

"The criticism of data mining is it's very unlikely to be effective.  But it's mass surveillance," said Stanley. "All too often it's a lose-lose situation. It's an attempt to make us safer by collecting information, but it's both failing to make us safer and threatening our civil liberties."

Making matters worse, says former Department of Justice attorney Mark Rasch, is the possibility that federal agencies such as the FBI could ultimately share the databases they've built with other nations as a good-will gesture in the international fight against terrorism.

"A lot of people will say, 'What do I care that the FBI knows I took scuba lessons. But would they want the Iranian police to know that?" he said. "What if an agency, to foster cooperation with other intelligence agencies,  shares the data with (Russia), who then shares it with Iranian intelligence. Then, one day, you visit Iran and they follow you around, or they detain you at the border....

A problem of accuracy
Rasch also raises another problem with data mining efforts, which he sees as a process that turns private employees from all around the country into de facto federal agents. 

"There is the problem of accuracy," he said. "Sure, the surf shop keeps records of who takes scuba lessons, but they not sitting there with exactitude you would expect if they were acting as an agent of the police."  Bad data -- typos, incorrectly entered driver's licenses -- will be common, Rasch says, and will result in unsavory consequences later.

Even some law enforcement agents concede that data mining, and enlisting private industry in the war on terror, can lead to abuses. 

"The answer, 'Just trust us,' is often unsatisfying," said the former federal official.  "If there is no oversight, you can get abuses.  There's a whole series of protections that (must) come into play."

Rasch says federal agencies need to develop more clear guidelines about acceptable use of private industry in the fight against terrorism.  Circumventing the judicial process by asking for voluntary release of data is trouble in the making, he said -- even if applying for subpoenas might slow down anti-terrorism efforts.

"Sure, it would be easier (for federal agents) if we were required to broadcast all our telecommunications in public, but that's not the goal of our society," Rasch. "There's an assumption that the enemy are these old men in robes, and it's not the Taliban, it's the judiciary."

The tension between privacy and safety -- and the databases themselves -- are here to stay Stanley says. That's why it's important to have a dialog now about the nuances of government data mining efforts.  In issuing its report, the ACLU invited private companies to take a "No Spy" pledge. Ultimately, Stanley argues the process for dealing with data simply needs to be more open.

"Behind the scenes there's a whole new world growing up, where data is being compiled and sold to the government. ... And things are not at all transparent (now)," he said. "If the government is judging individuals and interfering with freedoms based on those judgements, there needs to be due process. There needs to be a way for people on no fly lists to get cleared, lest they end up in a Kafkaesque nightmare."