The Digital Spy: How Technology is Changing the Intelligence Community

Bryan Cunningham and I spoke before the Council on Foreign Relations on May 19, 2006 in Washington DC at a session entitled, "The Digital Spy: How Technology is Changing the Intelligence Community." This session was moderated by Daniel Prieto, Director and Senior Fellow, Homeland Security Center, the Reform Institute.

Here is a link to the transcript.

Bryan is a fellow member of the Markle Foundation’s Task Force on National Security in the Information Age, was Deputy Legal Adviser to the National Security Council, and a senior CIA officer and federal prosecutor, and now a nationally know information security and privacy lawyer. He is one smart dude on the subject of law, information security, policy, and technology. Here are some of the topics he addressed:

• Rethinking the US Person rules as related to foreign intelligence collection
• Predicate-based link analysis over data mining
• Monitoring and addressing terrorist propaganda operations
• Legal and operational aspects of NSA’s reported use of phone toll records
• Why analytics on anonymized data is a "huge, revolutionary idea"
• The Supreme Court case establishing that Americans DO NOT have any legitimate expectation of privacy in phone call routing or toll records
• What might it mean in terms of privacy if computers do the analysis over humans
• The importance of immutable audit logs
• The privacy and civil liberty ramifications of looking at data purely on pattern-based analysis

Bryan has a lot of thoughtful things to say … for more about Bryan check out his website.

I covered such topics as:

• Importance of discovery to solve the Information Sharing Paradox
• Anonymized directories for enhanced privacy protections
• Difficulty in predicting terrorist intent from predicate-less data mining
• Using anonymization to address the government’s cross-compartment exploitation challenges
• The Cali drug cartels’ use of link analysis for their counter-intelligence mission
• Why it might be more efficient to anonymize not only US Persons data but also the non-US Persons data for certain applications
• Avoiding consumer surprise
• What is meant by my use of the term "anonymization" and why, despite various known cryptographic attacks (which can be blunted), this is, in many cases, a better solution than sharing data in clear text
• Technology is going to take us to a place where data will find data and relevance finds the user, and distinctions between data and queries will blur

Damsels in Distress: Stalking Stalkers through London Alleys

My girlfriend, two youngest kids and I were walking from our London summer flat to dinner a couple nights ago.  While in route, I overheard a lady on her cell phone saying something to the effect of “this creep has been stalking me for over a month and NOW I am following him.”  As it turns out, she was talking to the police, but I was unaware of that.

After a few moments to ponder what I had heard, I told my family that I thought she was in distress and possibly needed some assistance.  They agreed.  So I inserted myself into the situation which resulted in a few confrontational words with the 6 foot something dude, then while the distressed damsel and I talked, we watched the stalker dude casually walked off and disappear into a side street.

In short, I decide to tail the stalker.  Almost lost him.  But tracked him unnoticed through a left turn, then right, left, right, left, right and right again.  Luckily, along the way I flagged down a policeman that was willing to involve himself ... despite being unaware of the concurrent phone conversation the distressed damsel was still having with the police department a few blocks away.

So … as the accused stalker stuck his key in the door of his flat and looked over his shoulder, he realized I was standing right there with a policeman.  A precious, unexpected, moment …

The damsel was able to now make a police report with an identified subject … and my family and I had something new to talk about over dinner!

I did listen into her call.  And I did not get permission.  And although she may have been offended for a moment that I had overheard (and acted upon) her conversation … she certainly was very thankful!

Could I have handled this better?  Was there a better way to avoid consumer surprise?  They had very different stories - what if he was an innocent Joe and I actually helped a whacked lady find a nice guys home?  He did tell the policeman that he would have done the same thing had he been in my shoes.

Risk Mitigation Note: Had I not stumbled into a policeman, who knows how the story would have ended.  And although I am ill prepared for any hand-to-hand combat … I did have a secret weapon with me.  But don’t ask as I’d like to protect my sources and methods!

Precision in TSA’s Terrorist Watch List

Government Executive ran a story yesterday entitled, “Lawmakers seek more precision in TSA’s terrorist watch list.”  What makes me crazy is this statement:

           “As more terrorists' identities emerge, the list is growing ever longer. Improved algorithms are needed to both narrow the search for potential hijackers and expedite the boarding process for scores of innocent passengers, according to several members of the House Homeland Security Subcommittee on Intelligence, Information Sharing and Terrorism Risk Assessment.”

In truth, the problem is hardly going to be solved with better algorithms.  The problem is the ongoing lack of watch list fidelity (i.e., sparse attributes) which causes many false alarms because matching is many times based simply on name similarity alone.

Paul Rosenzweig and I wrote about remedies to this problem and called for improved watch list transparency and redress in this Heritage Foundation paper entitled “Correcting False Positives: Redress and the Watch List Conundrum.”

Other related posting: Comments on the TSA No-Fly and Selectee Watch List Process

Emergent Information Technologies and Enabling Policies for Counter-Terrorism

This recently released Wiley-IEEE book edited by Robert L. Popp and John Yen includes a chapter that I co-wrote with John Karat from IBM Research.

Here is the link, should you be interested in ordering this book:

http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0471776157.html

Our chapter is entitled "Anonymized Semantic Directories: A Privacy-Enhancing Architecture for Enterprise Discovery."

In this chapter we describe the importance of having catalogs (directories) for discovery (as required to solve the Information Sharing Paradox). Furthermore, we introduce the concept of using anonymized catalogs to provide this functionality while reducing the risk of unintended disclosure. Key attributes of this architecture include: a) avoidance of a large central data warehouse, b) use of a central index with pointers, c) use of anonymized data during information correlation, and d) use of audit logs. Additionally, the notion of "accumulating context at ingestion" is stressed as a key component for such a catalog in order to enhance accuracy when dealing with real-time data streams.

This chapter also claims one can find more needles by observing more hay. If this strikes you as odd, my blog post entitled More Data is Better, Proceed With Caution may shed some light on this observation.

This is my first book chapter ever – made possible by John Karat’s contributions. Thank you, John.

Stress Relaxing, Eight Sharks and Evading Surveillance Cameras in London

Nothing stresses me out more than trying to relax. So … my two youngest kids (15 and 17 years old) and I found ourselves on Bora Bora two weekends ago trying to have some fun. For starters we discovered everyone else on the island appeared to be a honeymoon couple.

The big adventure was the day we took a boat out into the reef. The locals then anchored a rope in the water … a rope on which one can hold so as not to drift with the current while in snorkel gear. They then proceeded to pour a bucket of blood into the ocean and began throwing chunks of tuna into the water. Once eight sharks were enjoying the food festival … we were invited into the water to watch … up close … no cage … no net. What fun! Of course there were no disclaimers, liability waivers, nothing to sign … only one piece of advice was offered during this excursion … don’t try to pet them! Come to think of it, I’ll bet there were no attorneys within hundreds of miles.

Then yesterday while on the M4 highway between the Heathrow airport and downtown London, the taxi driver kept speeding up then suddenly slowing down for no apparent reason. After paying a bit more attention I realized he knew where every traffic camera was. So I guess the only people who get tickets via these devices must be those unfamiliar with the area (and then they get caught only once). As such, the distracted and forgetful probably get dinged the most.

What do these three tidbits have to do with each other? Nothing.

You Won’t Have to Ask -- Data Will Find Data and Relevance Will Find the User

Next generations of information management systems will not principally rely on users dreaming up smart questions to ask computers. Rather, this new breed of technology will make it possible for data to find itself and relevant discoveries to find the consumer (e.g., a user). And all in real time of course. While this will bring with it new policy debates like which data will be permitted to find which data and who is notified of what relevance, I am going to stay focused in this post on what this technology will enable.

So, here are some examples of what Perpetual Analytics can do:

1. Guest convenience. After tossing and turning in bed all night in a hotel room, the guest finally decides at 7am to call for a late check out and schedule a wake-up call at noon. Shortly, after sinking into a deep sleep, disaster strikes when the maid carelessly knocks on the door to clean the room. No hotel I know of has solved this most basic inconvenience. When the data finds the data, the late check out and wake-up call requests converge with maid scheduling information. This triggers a relevant discovery, which warrants notifying the maid – e.g., via a text message advising this room not be cleaned until after 2pm.

2. Customer service. With interest in a soon to be released book, a user searches Amazon for the title … to no avail. The user decides to check every month until the book is released. Unfortunately, the next time the user looks they find the book is not only sold out but now on back order – awaiting a second printing. When the data finds the data, the moment this book is available this data point finds the user’s original query. As a relevant discovery the user is immediately notified (e.g., sent a text message or email) about the availability of the book.

3. Improved child safety. A parent keen to ensure their young children are safe while walking to school searches the community web site to ensure no registered sex offenders are living on this same route. Will they check this site every day? When the data finds the data, should a sex offender become registered on their kids route to school, this new data will immediately connect with their earlier query. As a relevant discovery, the parent is immediately notified.

4. Cross-compartment exploitation. The government uses "compartments" to intentionally isolate data. Isolating data helps prevent highly sensitive data from escaping. So despite the Presidential mandates for Information Sharing, the Information Sharing Paradox prevents the government from discovering when two such compartments (picture this: on the same floor, three doors away) are dealing with the same subject. For example, imagine one unit working on counter-terrorism and another on counter-narcotics. Of course there are not just two, then this would be easy, but with thousands of compartments across the government, the practicality of locating the data one requires is remote since one never knows who has what information. When the data finds the data, the moment a record is added to the counter-narcotics database of relevance to the counter-terrorism unit (e.g., data involving the same person). This is a relevant discovery and thus notification is immediately published to the appropriate user.

This is not far fetched. It is imminent. It will work, and it will be Scalable and Sustainable. Centralized data catalogs operating with Sequence Neutrality will be at the center of these solutions and Anonymization, Immutable Audit Logs and other privacy-enhancing technologies will (hopefully) play an important role. And while there are endless ways such capabilities will be used to deliver exceptional corporate and consumer advantage, when the government deploys such technology, especially with private sector data (e.g., bio surveillance), we better have really clear policies, oversight and accountability, and enough transparency to Avoid Consumer Surprise.