Secondary Screening

Archives
By Date
April 2006
March 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
By Category
Airline Security Measures
Bicycles
Book Reviews
Congress
Data Mining
Department of Homeland Security
Freedom of Information
Government Secrecy
Miscellany
Other People's Writing
Privacy
Security Measures
The Courts
The New Web
Threat Level
Recent Entries
Change of Address
Privatized Registered Traveler On Track
Software Bug Shuts Down Nation's Busiest Airport
HostGator Rocks
But some butter is more butter than other butter
TSA Picks Privacy Player
AT&T Loses A Customer Over NSA Lawsuit
Jetsons Video Phone? Deaf Say Yes!
AT&T *69s EFF
Narus Not in the Know
Published articles
Wired News Articles
Links
Wired News
DefenseTech
Practical Nomad
BeSpacific
DHS Privacy Office
Memory Hole Blog
Electronic Privacy Information Center
Privacy Digest
Electronic Frontier Foundation
Homeland Security Institute
Secrecy News
Emergent Chaos
EPIC West's Chris Hoofnagle
Prawfs Blog with Daniel Solove
Ann Harrison
Reuter's Andy Sullivan
Schneier on Security
Talk Left
Reason's Hit & Run
W. David Stephenson
Phillip Carter's Intel Dump
Project on Government Oversight
Technology Liberation Front
Edward Felten's Freedom to Tinker
Contact
Email me
415.375.3150
Subscribe
Feed: Your Reader
Atom
RSS 1.0
RSS 2.0
RSD
About Ryan Singel
I'm a San Francisco-based freelance journalist who covers antiterrorism programs, civil liberties, the Internet and privacy.
« Civil Liberties Board | Main | Screening Wrap-Ups »
August 23, 2004 | What's in a Name?

The Army Inspector General, relying on a technicality in the Privacy Act, decided that the Army did not violate the Privacy Act when one of its contractors tested a data-mining algorithm on JetBlue's passenger database.

Read more here in my story in today's Wired News.

The redacted report (in searchable PDF form) can be downloaded here.

The IG took seven months to complete the review and then decided not to release it publicly. I was able to get a copy only after filing a FOIA.

I'd been trying to get a copy of this report and the related Army documents since October. I got nowhere with these requests, since the Army decided it would not release any documents until the IG finished its investigation.

I finally got some redacted documents (not the report) in early August, which indicated that the IG investigation was done, though no one at the Army would confirm that.

I'll have more on the other FOIA documents here later this week, but first I'd like to pose the question: What is the point of classifying Inspector General reports?

Well, in this case, it looks like the Army IG wrote a report that clears the Army of wrongdoing, sends a couple of redacted copies to the Hill in order to mollify some senators and then declined to make the report public.

It's not too tough to infer why the IG didn't publish the report.

But more importantly, the Army IG's reading of the Privacy Act sets a precedent on how the government interprets the law.

The Privacy Act was meant to prevent secret databases and to prevent databases from being used for purposes other than what they were set up for. For example, they prevent the FBI from searching the IRS's databases for information on a suspect, unless the FBI has a warrant.

But roughly speaking, there are now two advanced ways of finding information in a database. One is known as "link analytics." Under this method, a database investigation would start with a suspect and then look for hidden links to other people or transactions.

In short, you start with a name and end up with a list of other names or transactions.

The other is what people refer to as "data mining." While data mining encompasses a wide range of ways to make sense of masses of data, in the anti-terrorism context it is usually thought of as a process of discovering terrorist plots or terrorists by looking for patterns of activity.

This was the idea behind the Total Information Awareness program, which generated enough heat to be shut down publicly. (Large chunks of this project got moved into the DoD's black budget.)

Notice that this technique starts with a pattern and results in names.

This technique isn't necessarily wrong and is useful for finding patterns of securities fraud and money laundering in the morass of financial data generated daily in our economy.

But the reasoning in the IG ruling means that these databases aren't subject to the Privacy Act, so long as an investigator never searches directly for a person's name.

There's no reason to exempt these kinds of databases from the Privacy Act. It's really not that stringent of a law. It simply requires notice of its existence, its uses and requires the government to inform people when it collects information from them.

Posted by Ryan Singel at August 23, 2004 09:52 AM

 Trackback Pings

TrackBack URL for this entry:
http://www.secondaryscreening.net/cgi-bin/mt-tb.cgi/3

Post a comment

My penis hurts...

Posted by: Joe Cypherpunk at August 27, 2004 12:21 AM
Powered by
Movable Type 3.2