EPIC on data mining
p2pnet.net News:- Remember the TIA – the closed-loop “Total Information Awareness” (TIA) computer system, “envisioned to give law enforcement access to private data without suspicion of wrongdoing or a warrant,” as EPIC (Electronic Privacy Information Center) once described it?
Dr John Poindexter was the convicted felon named to head the Pentagon’s IAO (Information Awareness Office), an arm of DARPA, the DoD’s central research and development organization. One of the IAO’s primary tasks was to develop and build the TIA.
That was then. And now congress must pass laws “to protect civil liberties when the government sifts through computer databases containing personal information,” says a report from EPIC’s Technology and Privacy Advisory Committee (TAPAC), “established to review the Defense Department data mining initiatives after the Total Information Awareness fiasco”.
TAPAC has released a report in which it makes 12 recommendations which among other things, proposes that federal agencies be required to obtain authorization from a special federal court “before engaging in data mining with personally identifiable information concerning U.S. persons”.
Summary of TAPAC Recommendations
Recommendations Concerning DOD Data Mining
RECOMMENDATION 1
DOD should safeguard the privacy of U.S. persons when using data mining to fight terrorism. ‘Data mining’ is defined to mean: searches of one or more electronic databases of information concerning U.S. persons, by or on behalf of an agency or employee of the government.
RECOMMENDATION 2
The Secretary should establish a regulatory framework applicable to all data mining conducted by, or under the authority of, DOD, known or reasonably likely to involve personally identifiable information concerning U.S. persons. The requirements of this section apply to all DOD programs involving data mining concerning U.S. persons, with three exceptions: data mining (1) based on particularized suspicion, including searches of passenger manifests and similar lists; (2) that is limited to foreign intelligence that does not involve U.S. persons; or (3) that concerns federal government employees in connection with their employment. Data mining that is limited to information that is routinely available without charge or subscription to the public?on the Internet, in telephone directories, or in public records to the extent authorized by law?should be conditioned only on the written authorization described in Recommendation 2.1 and the compliance audits described in Recommendation 2.5. All other data mining concerning U.S. persons should comply with all of the following requirements:
RECOMMENDATION 2.1
Written finding by agency head authorizing data mining. Before an agency can employ data mining known or reasonably likely to involve data concerning U.S. persons, the agency head should first make a written finding that complies with the requirements of this recommendation authorizing the data mining.
An agency head may make the written finding described above either for programs that include data mining
as one element, and data mining concerning U.S. persons may occur, or for specific applications of data mining where the use of information known or likely to concern U.S. persons is clearly anticipated.
RECOMMENDATION 2.2
Technical requirements for data mining. Data mining of databases known or reasonably likely to include personally identifiable information about U.S. persons should employ or be subject to the requirements of this recommendation (i.e., data minimization, data anonymization, audit trail, security and access, and training).
RECOMMENDATION 2.3
Third-party databases. Data mining involving databases from other government agencies or from private industry may present special risks. Such data mining involving, or reasonably likely to involve, U.S. persons, should adhere to the principles set forth in this recommendation.
RECOMMENDATION 2.4
Personally identifiable information. It is not always possible to engage in data mining using anonymized data. Moreover, even searches involving anonymized data will ultimately result in matches which must be reidentified using personally identifiable information. The use of personally identifiable information known or reasonably likely to concern U.S. persons in data mining should adhere to the following provisions:
An agency within DOD may engage in data mining using personally identifiable information known or reasonably likely to concern U.S. persons on the condition that, prior to the commencement of the search, DOD obtains from the Foreign Intelligence Surveillance Court a written order authorizing the search based on the existence of specific and articulable facts that meet the requirements of this recommendation.
DOD may seek the approval from the Foreign Intelligence Surveillance Court either for programs that include data mining as one element, and data mining of personally identifiable information known or likely to include information on U.S. persons may arise, or for specific applications of data mining where the use of personally identifiable information known or likely to include information on U.S. persons is clearly anticipated.
An agency may reidentify previously anonymized data known or reasonably likely to concern a U.S. person on the condition that DOD obtains from the Foreign Intelligence Surveillance Court a written order authorizing the reidentification based on the existence of specific and articulable facts that meet the requirements of this recommendation.
Without obtaining a court order, the government may, in exigent circumstances, search personally identifiable information or reidentify anonymized information obtained through data mining if it meets the requirements of this recommendation.
RECOMMENDATION 2.5
Auditing for compliance. Any program or activity that involves data mining known or reasonably likely to include personally identifiable information about U.S. persons should be audited not less than annually to ensure compliance with the provisions of this recommendation and other applicable laws and regulations.
RECOMMENDATION 3
DOD should, to the extent permitted by law, support research into means for improving the accuracy and effectiveness of data mining systems and technologies, technological and other tools for enhancing privacy protection, and the broader legal, ethical, social, and practical issues in connection with data mining concerning U.S. persons.
RECOMMENDATION 4
The Secretary should create a policy-level privacy officer.
RECOMMENDATION 5
The Secretary should create a panel of external advisors to advise the Secretary, the privacy officer, and other DOD officials on identifying and resolving informational privacy issues, and on the development and implementation of appropriate privacy protection mechanisms.
RECOMMENDATION 6
The Secretary should create and ensure the effective operation of meaningful oversight mechanisms.
RECOMMENDATION 7
The Secretary should work to develop a culture of sensitivity to, and knowledge about, privacy issues involving U.S. persons throughout DOD’s research, acquisition, and operational activities.
Recommendations Concerning Government Data Mining
RECOMMENDATION 8
The Secretary should recommend that Congress and the President establish one framework of legal, technological, training, and oversight mechanisms necessary to guarantee the privacy of U.S. persons in the context of national security and law enforcement activities.
RECOMMENDATION 9
The Secretary should recommend that the President appoint an inter-agency committee to help ensure the quality and consistency of federal government efforts to safeguard informational privacy in the context of national security and law enforcement activities.
RECOMMENDATION 10
The Secretary should recommend that the President appoint a panel of external advisors to advise the President concerning federal government efforts to safeguard informational privacy in the context of national security and law enforcement activities.
RECOMMENDATION 11
The Secretary should recommend that the President and Congress take those steps necessary to ensure the protection of U.S. persons’ privacy and the efficient and effective oversight of government data mining activities through the judiciary and by this nation’s elected leaders through a politically credible process. Specifically, Congress and the President should authorize the Foreign Intelligence Surveillance Court to receive requests for orders under Recommendations 2.4 and 8 and to grant or deny such orders, and each house of Congress should identify a single committee to receive all of the agencies’ reports concerning data mining.
RECOMMENDATION 12
The Secretary should recommend that the President and Congress support research into means for improving the accuracy and effectiveness of data mining systems and technologies; technological and other tools for enhancing privacy protection; and the broader legal, ethical, social, and practical issues involved with data mining concerning U.S. persons.
