The National Counterterrorism Center is now being allowed access to all governmental databases to trawl for suspicious activity. The Wall Street Journal (“U.S. Terrorism Agency to Tap a Vast Database of Citizens”) and the Volokh Conspiracy (“DHS Dresses Up A Turf Fight as a Privacy Issue While Ignoring the Lessons of 9/11″) both report on this development, from opposing perspectives.
Just because one part of the government has a certain set of data, doesn’t mean that all other parts of the government should have it. Your tax return is kept privately within the IRS; records of your immigration applications stay with USCIS; Medicare keeps your health records private; and so on. This kind of data confidentiality used to be routine; but once again, in the service of terrorism, the normal limitations on government power are considered expendable.
This is what happened.
NCTC asked the Department of Homeland Security for access to a database on terror suspects. DHS gave NCTC the disks, on the condition that NCTC, within 30 days, remove information regarding “innocent US persons” (innocent non-US persons are apparently fair game).
NCTC couldn’t do it. In fact, after 30 days they had barely been able to download the database from the disks. Even with another 30-day extension, they couldn’t do it, and in response to this failure, they have demanded, and gotten, even broader access to even more government databases. The only constraint is that any time they access a new database, they have to publish that fact in the Federal Register.
Their problems in removing “innocent US persons”‘ data are completely understandable, because NCTC was anxious that today’s innocent person may not turn out to have been innocent tomorrow. How do you remove innocent people, when nobody is provably innocent?
From a resource standpoint, how could NCTC possibly deploy enough skilled analysts to prove the innocence of the (at minimum) hundreds of thousands of people this one database contained? And that’s just one of the many databases to which they will now have access!
This is an example of what, over at EFF when I was interning there in 2000, we used to call “Data Valdez”. The amount of data being created is enormous and essentially impossible to thoroughly analyze. The federal government has, in its various parts, access to data on every part of our lives, but no matter how fast its computers, it will never, ever have the human resources necessary to process it properly. Demanding access to ever greater oceans of data is not going to help. It’s a processing problem, not a data problem.
That’s why, at CDFAR, we recognize the wisdom for law enforcement of aggressively applying the constraints identified in the Fourth Amendment. Even if you have the ability to collect more data, it works better to consciously commit to collecting less. Law enforcement should, for its own sanity and ours, collect, retain and use in investigations only data that is related to investigations of actual, well-defined crimes committed by previously identified people. Only then will the volume of data collected be low enough that law enforcement will be able to process it thoughtfully and intelligently. Yes, that means that connections will be missed that will only become apparent after the fact of an attack. But we cannot insure perfectly against the probability of future attacks. We have to invest our resources rationally, and we have vastly over-invested in preventing terrorist attacks relative to other things that kill many more Americans.