The FBI STAR Terrorist Risk Assessment Program Should Raise Renewed Concerns about Private Sector Data Mining
By ANITA RAMASASTRY
----
Tuesday, Jul. 24, 2007
The Justice Department recently submitted a report to Congress, setting forth a series of data-mining initiatives it is undertaking. Data-mining, as readers may be aware, involves sorting through large sets of data to discover patterns. This can be done with the aid of computers and special algorithms.
The FBI says its data mining efforts simply automate investigations that were previously conducted by agents involved in labor-intensive research. And many of the FBI's initiatives seem potentially laudable - in that they are directed toward stamping out various types of crime, including identity theft and Medicare fraud. There is one initiative, however, that should give the public a little more concern:
Click here to find out more!
The FBI is also developing a computer-profiling system that would enable agents to better investigate possible terror suspects.
The System to Assess Risk ( STAR) will assign so-called "persons of interest" a score that, according to the FBI, will signify the likelihood that each is a terrorist threat, and indicate whether each deserves further investigation. In this column, I will briefly outline the basics of STAR. I will also argue that Congress should ask the FBI for more details about the nature of the commercial data that will be used, and what sort of measures will be taken to ensure such data is accurate or, if erroneous, capable of being corrected.
How STAR Will Work: Assigning a Risk Score to Foreign, But Also Possibly U.S. Persons
Using STAR, the FBI will identify possible suspects by running the names of persons it believes may pose a terrorist threat through a large database. Based on the information in the database, STAR's computer will generate a risk score for each person, using certain algorithms that incorporate up to thirty-five risk factors. STAR is meant to focus primarily on foreign suspects, and will be spearheaded by the FBI's Foreign Terrorism Tracking Task Force (FTTTF). Country of origin might be weighed in the process of assigning a person's score, as might a name's presence on a terrorist watch list.
However, because foreign suspects may have U.S. associates, American citizens and residents could also be included. Accordingly, the FBI has not promised not to run Americans through the database. It has, however, promised that access to STAR will be limited to trained users; that data will be obtained lawfully; and that results would be kept within the FBI's Terrorism Tracking Task Force.
The Sources of the Data that Will Result in the Risk Score
In assigning the score, STAR would draw upon a variety of information from many sources, using a process similar to consumer credit scoring. Rather than predicting whether someone is a poor credit risk, however, the STAR score will identify whether someone is likely to be a terrorist.
While the FBI's report is a bit vague as to how STAR, when created, will operate, it is clear that STAR will use data from both public and private databases, compiled into a large data warehouse referred to as the FTTTF Data Mart. For example, the report says that STAR will rely on data aggregator Choice Point. The Data Mart will also include, for example, airline records, records relating to driver's and pilot's licenses, employment histories, and records of present and past addresses.
As I have written before, because government searches of data like this are not deemed to fall within the Fourth Amendment, no search warrant in necessary. Such information is no longer considered legally private, and thus constitutionally protected, when individuals have disclosed it to third parties such as magazine subscription services, airlines, and other businesses. Nor does the federal Privacy Act apply.
Potential Problems with STAR: Accuracy and Privacy
Some lawmakers have already expressed the view that the FBI report raises new questions about the government's power to use personal information and intelligence without accountability. Privacy experts have called this use of private sector data the "industrial surveillance complex," charging that the government, by employing commercial data, is conducting surveillance via an end-run around the Fourth Amendment.
As well as privacy concerns, accuracy concerns have also been raised. One particular worry is that flawed data (from either the government or private companies) might make its way into the STAR assessment, leading individuals to unjustly find themselves under suspicion. It is unclear whether individuals assigned risk scores will have any way of seeing the data on them that is contained in FTTTF Data Mart, so that they can correct it if it is erroneous.
That's disturbing, because there is little statistical evidence about the accuracy of such data. What evidence exists, in addition, is not encouraging: Some studies of consumer credit reports indicate that many consumers have errors on their credit records; identity theft is a growing problem; and many mistakes on the no-fly and selectee lists have been identified when innocent persons are wrongly flagged.
There is one cause for hope, however: The STAR system would be subject to a privacy-impact assessment before being launched in final form. That may address some privacy concerns, but accuracy, too, is an important priority. Thus, Congress needs to press the FBI for further information about the sources of the data it will be using, whether such data contains errors, and if it does, how those errors may be corrected.
Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, computer data security issues, and other legal issues for this site, which contains an archive of her columns.
No comments:
Post a Comment