They've Got Your Number - Get Used to It
It starts December 4 - and it seems to be one of those "why not" ideas that just pop up now and then. The Homeland Security Department's computerized Automated Targeting System was originally designed to track cargo into the United States - looking for patterns and anomalies that might raise a red flag. Carefully inspecting every single shipping container arriving in Long Beach or wherever, for nuclear, chemical and biological nasties, is beyond impractical - but you can use a bit of data-mining on all the records, the bills of lading and cargo manifests and all that. You look for suspicious "patterns" in the details. Then what you actually inspect can be narrowed to what needs inspected - not the bulk containers of shoes from a known and harmless manufacturer in Brazil, where the ship made no unexpected stops in Yemen or Rotterdam. Pattern recognition on large datasets is cool - if you set up the search algorithms cleverly, the needle in the haystack will turn up quickly. There's no need to deal with the hay at all. This stared after the 2001 attacks in New York and Washington.
But why use this technique on cargo only? You could us it on people. Why not? That's what is scheduled to be implemented on Monday, December 4 - individual air passengers as well as flight crews, anyone entering the United States, even Sally from Wheaton returning from visiting friends in Toronto, gets a profile and a score indicating the risk level they represent. It's better than the "winnowing fan" mentioned in Homer - certain people will get the third degree, and the rest can go about their business. There's no direct human judgment involved. The algorithms do all the work and just make certain folks - based on their credit and travel history, what in-flight meals they've ordered, whether they ever got a speeding ticket, or a parking ticket, and who they've mailed things to and what mail they've received, their phone records and all - pop up. It's pattern recognition. There's a ton of data on everyone out there just floating around, unprotected, and you can't review it all on every traveler. So you set up a system to do a massive scan and sit back and wait.
The details of the system were put on a federal notice board last month - the Federal Register, that fine-print compendium of obscure federal rules - but they attracted little attention. The Associated Press reported on Thursday, November 30, that Americans and foreigners crossing the borders since 2002 have been assessed by the Homeland Security Department's computerized targeting system and been given their "risk numbers." And now it goes operational. The Department of Homeland Security says this is no big deal - they posted the information about the profiling system on the notice board as part of their "commitment to open government." They were hiding nothing. They seemed rather proud of the gizmo.
But somehow people were unhappy. Marc Rotenberg, director of the Electronic Privacy Information Center in Washington was - "This is a tremendously significant deal. It means the federal government has secretly assigned a terrorist rating to tens of millions of US citizens."
David Sobel of the Electronic Frontier Foundation told the Associated Press - "It's probably the most invasive system the government has yet deployed in terms of the number of people affected."
But is it invasive? The information is out there, on people and the companies they work for, from the US Treasury (the tax folks), from the customs and immigration departments, and from every law enforcement agency that exists. Commercial airlines supply data through passenger name records, and foreign governments share intelligence on a bilateral basis all the time. It's just a matter of collating it all. And that has been cleverly automated. The systems sets a risk rating for each of us by analyzing information like a history of one-way ticket purchases, seat preferences (some of us like the window seat), by frequent flyer records, by the number of bags checked, how we pay for tickets and what meals we order (flagging vegetarian or Kosher or whatever). No one is spying. The data is out there.
And the DHS folks say the resulting "risk rating" is only used as a guide to immigration officers at the borders "to assist them in selecting passengers to interview upon entry as part of their inspection procedures." It's just no longer the useless random inspection thing. It's more efficient.
The Associated Press writer Michael J. Sniffen (no kidding, that IS his name), on Friday, December 1, adds fascinating detail, like no travelers are not allowed to see or directly challenge these risk assessments ever. And the government intends to keep them on file for forty years. And this is interesting - some or all data in the system can be shared with state, local and foreign governments "for use in hiring, contracting and licensing decisions." Courts and some private contractors can obtain some or all of the data under certain circumstances. But you will not be allowed to see what it is, or challenge it in any way.
Sniffen sniffs around and gets a quote from incoming Senate Judiciary Chairman Patrick Leahy of Vermont - he pledged greater scrutiny of such government database-mining projects after reading about this, as in - "Data banks like this are overdue for oversight. That is going to change in the new Congress."
We'll see. Leahy also said, "It is simply incredible that the Bush administration is willing to share this sensitive information with foreign governments and even private employers, while refusing to allow U.S. citizens to see or challenge their own terror scores." And this system "highlights the danger of government use of technology to conduct widespread surveillance of our daily lives without proper safeguards for privacy." But then, this is the man to whom Vice President Cheney said, on the floor of the Senate, "Go fuck yourself." It will be said again.
By late Friday the government had received twenty-two written public comments the program - and folks either opposed it outright or objected to the lack of a direct means for people to correct any errors in the database about themselves. A typical one was this - "As a US citizen who spends much time outside the US, I can understand the need for good security; however, just as I would not participate in a banking/credit card system where I have no recourse to correct or even view my personal data, I cannot accept the same of my government."
Yeah, well, there's not much you can do about it. They're just looking for patterns in open, public data. It's not like anyone is lying about you. Consider it "interpretation." As with Rubenstein with Chopin or Bernstein with Beethoven, how can you question an interpretation? (Bernstein always conducted Beethoven much too fast, didn't he?)
Barry Steinhardt, a lawyer for the American Civil Liberties Union (of course) is quoted - "Never before in American history has our government gotten into the business of creating mass 'risk assessment' ratings of its own citizens," and he said "we are stunned" the program has been undertaken "with virtually no opportunity for the public to evaluate or comment on it." The reply from the Homeland Security Department was to say the nation's ability to spot criminals and other security threats "would be critically impaired without access to this data." You want to be safe, don't you? Of course selling the "risk numbers" to HR departments of companies who might want to hire you is a bit troubling. But it is pubic data, or an interpretation of it.
But the Sniffen item is interesting as he actually visits the operation. And he does a pretty good Ian Fleming, for an AP staffer -
… on Friday as the normal daily flow of a million or more people entered the United States by air, sea and land, the ATS program's computers continued their silent scrutiny. At that Virginia building with no sign, the managers of the National Targeting Center allowed an Associated Press photographer to briefly roam their work space.
But he couldn't reveal the building's exact location. None of the dozens of workers under the bright fluorescent lights could be named. Some could not be photographed.
The only clue he might have entered a government building was a montage of photos in the reception area of President Bush's visit to the center. But there was only one guard and a sign-in book.
Inside, red digital clocks on the walls showed the time in Istanbul, Baghdad, Islamabad, Bangkok, Singapore, Tokyo, and Sydney. Although billboard-size video screens on the walls showed multiple cable news shows, there was little noise in the basketball-court-sized main workroom. Each desk had dual computer screens and earphones to hear the video soundtrack. Conferences were held in smaller workrooms divided by glass walls from the windowless main room.
Round the clock, the targeters from Homeland Security's Customs and Border Protection agency analyze information from multiple sources, not just ATS. They compare names to terrorist watch lists and mine the Treasury Enforcement Communications System and other automated systems that bring data about cargo, travelers and commercial workers entering or leaving the 317 U.S. ports, searching for suspicious people and cargo.
Why, it's just like a Hollywood movie.
And then we learn that government officials could not say whether the system has actually apprehended any terrorists. They've been using it for four years, in beta mode it seems. Based on all the information available to them, federal agents turn back about forty-five foreign criminals a day at our borders, according to Homeland Security's Customs and Border Protection spokesman Bill Anthony- but he couldn't say how many were spotted by the new system. That's classified, you know. But it now goes fully operational. One must assume it works just fine.
No one, too, would describe in detail "the format in which border agents see the results or in which the databases store the results." Don't ask. Just know they have your number - actually a number - or soon will.
So how do you feel about this? The data is out there - as above, no one is spying on you. The government is supposed to be alert to threats to us all - that's their job, or part of it. And data-mining is a fact of life - retailers have used it for decades to make all sorts of marketing decisions, looking at terabytes of seemingly random demographic and economic data to decide what to make and try to sell, and just where and at what price. The government shouldn't do something with such technology, to keep us safe?
Perhaps the initial negative reaction to all this has to do with being assign "a number" you will never know, that defines how much of a threat you are to the nation, and it will stay with you for forty years, and be offered to potential employers. Did we sign up for this?
Note: Those of us who have worked in systems know the danger of someone working the system to raise someone's "risk number" out of personal anger or for political ends, and the parallel risk of someone from the outside hacking the system just to have some fun doing the same, or to make some bad guy "low risk." That's not very comforting.