The Foreign Intelligence Surveillance Act (FISA) is just the latest salvo in an attempt to install a surveillance society in America. Don’t let anger at the Bush administration and Fear Uncertainty and Doubt (FUD) over the NSA blind you to a much larger problem. We need a comprehensive national policy on data collection and its use in both the public & private sectors. Privacy rights and the associated laws must be clarified and strengthened, taking into account the complexities of modern technologies. The wall between government and private industry must also be restored.
Theoretically, U.S. laws and policies restrict the government’s use of dossiers on individual citizens who are not under criminal investigation. President Carter’s Executive order 12036 prohibited domestic surveillance. There are no such laws preventing private companies from doing so, as long as they ensure that specific protected pieces of data (your social security number, for example) aren’t lost or stolen or otherwise compromised. And some people in the intelligence community have been trying to get their hands on that commercial data for years.
Knowledge for Sale
There are many companies that aggregate, or gather together, publicly or privately-available information about YOU – down to the household or even individual level – your job, your income, the value of your house, what kind of car you drive, how many children you have and where they are enrolled in school, what charities you donate to, what magazines you subscribe to, what political contributions you have made. One of the largest, Acxiom, has been in business since 1969, and according to its 2007 Annual Report, has total assets in excess of $1.65 Billion. Other well known data aggregators include Lexis Nexis, Experian, TransUnion, and ChoicePoint. Any public record can, and will, be added to these private databases. Remember that the next time you’re tempted to fill out a survey or a warranty card or sign up for a grocery store club card. Who do you think is paying for that discount?
All those records are analyzed for patterns, and those patterns create group profiles. For example, Acxiom has defined 70 specific “life stage segments” based on the kind of criteria above. And they’re good. (Disclosure: I worked at a dot.com startup some years ago that existed specifically to gather user data, so it could be sold to Acxiom. They went under less than a year after I quit. It was a stupid site.) Acxiom can infer – correctly – what kind of wine you might buy based on random-seeming datapoints such as your age, the car you drive, and the magazines you subscribe to. It’s creepy scary. Another firm, ChoicePoint, has its own niches in the market: insurance data, background checks, tenant screening, employment screening, and more.
Then these companies sell access to their data to anybody who will pay. You can find data aggregators who will help you: grow your business, develop market-targeted products, find a new customer, or win a campaign. If you need a list of names, there’s someone out there who has it and will sell it. How about a list of suburban households in their low 30’s with a combined income between $55-75K, three kids under 15, a Ford Taurus, and a subscription to Outdoor magazine? Or retired single childless teachers who wear prescription lenses and prefer Grey Goose vodka? Need to find out if a potential child care provider is a sexual offender? Write a check, run a query.
There are myriad ways these kinds of reports can be used to manipulate. The most obvious is in product development and marketing. If a company has a product line that’s not selling well, they can mine their customer data to identify the segments that buy the product, and focus their advertising and marketing on that segment. Or they can create marketing language that will appeal to a wider range of segments. This is Business 101 stuff. It’s fairly easy for an aware consumer to find the line between selling me what I want to buy, and convincing me that what I want is what you have to sell.
K Street meets Madison Avenue
Things gets trickier when you apply the technology to politics. It’s called “microtargeting,” and it’s a recipe for political manipulation on a whole new level. The Bush 2004 campaign began working with TargetPoint Consulting in 2003, testing the theories and technologies that would win the 2004 election, on several Pennsylvania judicial races. TargetPoint founder Alex Gauge believed “[t]he Bush majority would be made up of thousands of groups of like-minded voters whom the campaign could reach with precisely the right message on the issues they considered most important.” When TargetPoint’s 2003 projections came up 90% accurate, Rove knew he had a winning strategy. The Bush election machine found the exact hot-button issues for the necessary profiles (”Flag and Family Republicans” and “Tax and Terrorism Moderates” are two examples), and then pushed those buttons to convince individual voters to come out for him. At its best, microtargeting eliminates the expense and effort of campaigning to voters you already know will vote for you. At its worst, it’s virtualized gerrymandering – letting politicians select their constituents.
The problem is not that each group hears a targeted message, it’s that they don’t hear anything else. “Flag and Family” hears positioning on flag burning. “Tax and Terrorism” hears plans for security. Neither hears the whole story, even if they live next door to each other. And when you only hear what you want to hear, you’re missing an opportunity to grown and change. When you only hear your own individual message you miss out on ideas like the Common Good. You might come to think that the only good is what’s good for you. And then what happens to democracy?
And don’t think this is just a Republican dirty trick. Democrats are johnny-come-lately to the game but microtargeting, also known as narrowcasting, is used by both sides.
And I’m not saying that datamining technology is inherently evil. Technology is, in my opinion, value-neutral. The questions of morality must be applied to how the technology is used. Are you focusing your limited campaign budget to convince people who haven’t made up their minds yet, or are you telling me what I want to hear? Are you selling me what I want to buy or are you convincing me that I want is what you have to sell? What comes next, when Big Brother lives at the intersection of K Street and Madison Avenue? How do you even know if what you want is what you want or what you’ve been told you want by someone who knows you better than you know yourself? It’s Room 101 through the looking glass – here is your deepest desire, all wrapped up with a pretty bow. And while you’re enjoying your new toys or new candidates, liberty is slowly slipping away. You never even notice.
Total Information Awareness
Things get really hairy when you start looking at government intelligence databases. In the months after 9/11, the federal government was feverish to buy, build, or borrow, tools that would help identify potential terrorists. John Poindexter headed the creation of DARPA’s Total Information Awareness (TIA – which was quickly renamed the Terrorist Information Awareness) system, which the ACLU calls “the closest thing to a true ‘Big Brother’ program that has ever been seriously contemplated in the United States.” The stated goal of TIA was to build an umbrella that pulled together every conceivable intelligence system – public and private databases, surveillance systems, biometrics, and more – into a single system that could be monitored and mined for evidence of terrorist-like behavior. One place to go to, to find everything “we” know about everything.
The net effect of these efforts, however, resulted in what many have dubbed the Surveillance Society; a virtual panopticon of data mining and realtime snooping. The Electronic Privacy Information Center (EPIC) has obtained documents showing John Poindexter meeting with Acxiom board member General Wesley Clark in May and June of 2002 and an email between Poindexter and Lt. Col. Douglas Dyer discussing the usefulness of Acxiom data and capabilities in creating the TIA. Dyer mentions the need to respect citizens’ privacy concerns, (”[P]eople will object to Big Brother”), but follows with the suggestion that the system may, in time, need “huge databases of commercial transactions that cover the world.”
(Nerd alert: EPIC obtained a very high-level, fluffy-bunny design document of the TIA system. The document was written by Hicks & Associates, a wholly owned subsidiary of infamous defense contractor SAIC, and uses UML diagrams and Use Cases such as this one on page 18: “22.214.171.124.2.1 Generating Threat Scenarios – Generating Threat Scenarios represents the capability for analysts to create scenarios representing possible threats that have potential to occur given a partial set of facts, events, links, and models.” Yeah, I’ll get right on that module. The project life cycle is defined on page 16 as “TBA – Developing – Prototyping – Experimenting – Transitioning.” This is no life cycle I’ve ever seen, in any OOSE-related materials. What ever happened to requirements gathering and designing? On the other hand, they are very precise about the analysts’ Dell Power Edge 620 workstations on page 95. The document reads like it was written by a vendor whose focus is on billing hours, not building software. It sounds good to risk managers but is completely useless to a developer; full of buzzwords and vague diagrams and little else. The tech industry’s opinion of the TIA system is low; it seems we are protected from Big Brother by greed and incompetence, rather than honor or intellectual vigor.)
A New York Times article in November 2002 raised concerns about privacy in the TIA-watched world. 2002 and 2003 saw a firestorm of reports, articles, and concerns about the TIA system. Senators Russ Feingold and Ron Wyden both introduced bills to stop data mining in general and TIA in specific. DARPA sent a report about the TIA system to Congress in May 2003. On September 24, 2003, Congress officially defunded the TIA project, with the exception of some specific components that were moved under other foreign intelligence projects.
Privacy issues were also raised by the Government Accountability Office, which responded after the project was canceled. Wesley Clark resigned from Acxiom’s board On October 9, 2003, citing the pressures of his presidential campaign.
To bring things full circle, it is reported that the equipment and technology used by the NSA for the warrantless wiretapping in Room 641-A and beyond had its origin in the TIA program. Is it possible that the fight over telecom immunity from prosecution is actually a red herring to distract us all from recognizing that the TIA program, a miserable failure that sucked millions or even billions of dollars from our budget, wasn’t actually canceled, but moved to a new organization and renamed? The ACLU has filed an amicus brief requesting that AT&T whistleblower Mark Klein’s documentation be made public and studied, to answer this question.
“Whether the specific technologies developed under TIA and acquired by ARDA have actually been used in the NSA’s domestic surveillance programs — rather than only for intelligence gathering overseas — has not been proved. Still, descriptions of the two former TIA programs that became Topsail and Basketball mirror descriptions of ARDA and NSA technologies for analyzing vast streams of telephone and e-mail communications. Furthermore, one project manager active in the TIA program before it was terminated has gone on record to the effect that, while TIA was still funded, its researchers communicated regularly and maintained “good coordination” with their ARDA counterparts.”
The Right to Privacy
What ever happened to the right to privacy? Truth is, the words “right to privacy” do not appear in the constitution. But Madison and the gang made sure that specific rights to specific privacies were spelled out in the Amendments: the privacy of beliefs, (1st Amendment), privacy from being forced to house soldiers (3rd Amendment), privacy against unreasonable searches and seizures – which includes protection for the privacy of personal information, referred to as “papers” (4th Amendment), and privacy against self-incrimination (5th Amendment).
Every time you use a credit card, a club card, a library card, visit a web page, take out a loan, make a political contribution, you are leaving a digital breadcrumb trail behind you. It is inescapable. And since we can’t avoid leaving the trail we must regulate those who would follow it. The use of these massive databases of “papers” must be reinterpreted as a violation of our 4th Amendment right. They violate what Justice Brandeis famously termed our “right to be let alone.” Even the honorable intention of protecting the country from bad people who would harm us is no justification for violating that right.
“Men born to freedom are naturally alert to repel invasion of their liberty by evil-minded rulers. The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding.”
I know this has been a long post. I hope you’ve taken the time to read through the links of the various relationships and abuses of aggregated personal data and seen the danger to our democracy for yourself. Protections for personal information in the United States are random, confused, and limited.
Laws have been enacted only in response to specific problems, and no governmental body has taken a wider view to build a consistent, nation-wide policy to protect citizens and prevent the kinds of dangers presented here. Indeed, there isn’t even a single, national standard of what data is private and what is public. It is way past time for this oversight to be addressed.
Without specific laws to protect YOU and your data, there is no limit to the way YOUR data can be used, bought, sold, and manipulated. Don’t limit your fear, uncertainty, and doubt to FISA and warrantless wiretapping. We need to act now to limit the use of privately and government owned data warehouses while we still have a democracy to do so.
And I haven’t even mentioned data loss, data theft, hacking, honest mistakes, Internet cookies, and spyware.
Want to read some more? These folks are working on the problem:
- Electronic Privacy Information Center
- ACLU 2003 report on the growing surveillance society
- IEEE Computer Society – Security and Privacy
About Terri Shea
Terri Shea had a thriving career in high tech for many years until the dot.com crash coincided with maternity leave at the beginning of 2001. Her computer experience includes system configuration and installation, networking, administration, technical support, web development (technical design, specification, and programming) and development management. She currently works from home in Seattle, WA as a freelance writer for the hand knitting market, and published her first book, Selbuvotter: Biography of a Knitting Tradition, in 2007.