Heritage Foundation Leadership for America

AMERICAN PRINCIPLES OF LIBERTY AND LIMITED GOVERNMENT

Some might say that discussion of any development of TIA is premature--that TIA has yet to grow beyond the concept stage and that discussion of the limits to be placed on the use of TIA should await its development. Although TIA is little more than a research project at this juncture, however, it is still prudent to consider appropriate safeguards on its use while in development and implementation.

Indeed, fundamental legal principles and conceptions of American government should guide the configuration of TIA rather than the reverse. The precise contours of any rules relating to the use of TIA will depend, ultimately, on exactly what TIA is capable of accomplishing--the more powerful the systems, the greater the safeguards necessary. As a consequence, the concerns of critics should be fully voiced and considered while the TIA research program is underway.

In general, TIA can and should be constructed in a manner that fosters both civil liberty and public safety. Certain overarching principles must animate the architecture of TIA and provide guidelines that will govern the implementation of TIA in the domestic environment. These are the same principles that should animate the consideration of any new program to combat global terrorism at home.

Most of the debate over new intelligence systems focuses on perceived intrusions on civil liberties, but Americans should keep in mind that the Constitution weighs heavily on both sides of the debate over national security and civil liberties. The President and other policymakers must respect and defend the individual civil liberties guaranteed in the Constitution when they act, but there is also no doubt that they cannot fail to act when we face a serious threat from a foreign enemy.

The Preamble to the Constitution acknowledges that the United States government was established in part to provide for the common defense. The war powers were granted to Congress and the President with the solemn expectation that they would be used. Congress was also granted the power to "punish...Offenses against the Law of Nations,"13 which include the international law of war, or terrorism. Besides serving as chief executive and commander in chief, the President also has the duty to "take Care that the Laws be faithfully executed,"14 including vigorously enforcing the national security and immigration laws.

Of course, just because the Congress and the President have a constitutional obligation to act forcefully to safeguard Americans against attacks by foreign powers does not mean that every means by which they might attempt to act is necessarily prudent or within their power.15 Core American principles require that TIA (and, indeed, any new counterterrorism technology deployed domestically) should be developed only within the following bounds:16

• No fundamental liberty guaranteed by the Constitution can be breached or infringed upon.
• Any increased intrusion on American privacy interests must be justified through an understanding of the particular nature, significance, and severity of the threat being addressed by the program. The less significant the threat, the less justified the intrusion.
• Any new intrusion must be justified by a demonstration of its effectiveness in diminishing the threat. If the new system works poorly by, for example, creating a large number of false positives, it is suspect. Conversely, if there is a close "fit" between the technology and the threat (that is, for example, if it is accurate and useful in predicting or thwarting terror), the technology should be more willingly embraced.
• The full extent and nature of the intrusion worked by the system must be understood and appropriately limited. Not all intrusions are justified simply because they are effective. Strip searches at airports would prevent people from boarding planes with weapons, but at too high a cost.
• Whatever the justification for the intrusion, if there are less intrusive means of achieving the same end at a reasonably comparable cost, the less intrusive means ought to be preferred. There is no reason to erode Americans' privacy when equivalent results can be achieved without doing so.
• Any new system developed and implemented must be designed to be tolerable in the long term. The war against terrorism, uniquely, is one with no immediately foreseeable end. Thus, excessive intrusions may not be justified as emergency measures that will lapse upon the termination of hostilities. Policymakers must be restrained in their actions; Americans might have to live with their consequences for a long time.

From these general principles can be derived certain other more concrete conclusions regarding the development and construction of any new technology:

• No new system should alter or contravene existing legal restrictions on the government's ability to access data about private individuals. Any new system should mirror and implement existing legal limitations on domestic or foreign activity, depending upon its sphere of operation.
• Similarly, no new system should alter or contravene existing operational system limitations. Development of new technology is not a basis for authorizing new government powers or new government capabilities. Any such expansion should be independently justified.
• No new system that materially affects citizens' privacy should be developed without specific authorization by the American people's representatives in Congress and without provisions for their oversight of the operation of the system.
• Any new system should be, to the maximum extent practical, tamper-proof. To the extent that prevention of abuse is impossible, any new system should have built-in safeguards to ensure that abuse is both evident and traceable.
• Similarly, any new system should, to the maximum extent practical, be developed in a manner that incorporates improvements in the protection of American civil liberties.
• Finally, no new system should be implemented without the full panoply of protections against its abuse. As James Madison told the Virginia ratifying convention, "There are more instances of the abridgment of the freedom of the people by gradual and silent encroachments of those in power than by violent and sudden usurpations."17

SCOPE OF TERRORIST THREAT AND TIA's POTENTIAL PROMISE

With those principles in mind, the discussion of TIA will also be well-served by a thorough understanding of the threat it is intended to address and the precise means by which it would address that threat.

The Terrorist Threat
The full extent of the terrorist threat to America cannot be fully known. Consider, as an example, one domestic aspect of that threat--an effort to determine precisely how many al-Qaeda operatives are in the United States at this time and to identify those who may enter in the future.

Although estimates of the number of al-Qaeda terrorists in the United States have varied since the initial attack on September 11, the figure provided by the government in recent, supposedly confidential briefings to policymakers is 5,000.18 This 5,000-person estimate may include many who are engaged in fundraising for terrorist organizations and others who were trained in some fashion to engage in jihad, whether or not they are actively engaged in a terrorist cell at this time. But these and other publicly available statistics support two conclusions: (1) no one can say with much certainty how many terrorists are living in the United States, and (2) many who want to enter in the foreseeable future will be able to do so.

Understanding the scope of the problem demonstrates the difficulty of assessing the true extent of the risk to the United States. Consider this revealing statistic: "[M]ore than 500 million people [are] admitted into the United States [annually], of which 330 million are non-citizens."19
Of these:

• Tens of millions arrive by plane and pass through immigration control stations, often with little or no examination.20
• 11.2 million trucks enter the United States each year.21 Many more cars do so as well: More than 8.5 million cars cross the Buffalo-Niagara bridges each year alone, and only about 1 percent of them are inspected.22
• According to the U.S. Department of Commerce, approximately 51 million foreigners vacationed in the United States last year, and this figure is expected to increase to 61 million in three years.23
• There are currently approximately 11 million illegal aliens living in the United States. Roughly 5 million entered legally and simply overstayed their lawful visit.24
• Over half a million foreign students are enrolled in American colleges, representing roughly 3.9 percent of total enrollment, including:
• 8,644 students from Pakistan;
• A total of 38,545 students from the Middle East, including 2,216 from Iran, 5,579 from Saudi Arabia, and 2,435 from Lebanon, where Hezballah and other terrorist organizations train; and
• About 40,000 additional students from North African, Central Asian, and Southeast Asian nations where al-Qaeda and other radical Islamic organizations have a strong presence.25

This, of course, is only part of the story. The other aspect of the danger to America is the new and unique nature of the threat posed by terrorists. Virtually every terrorism expert in and out of government believes there is a significant risk of another attack. Moreover, the threat of such an attack, unlike the threat posed by the Soviet Union during the Cold War, is asymmetric.

In the Cold War era, U.S. analysts assessed Soviet capabilities, thinking that their limitations bounded the nature of the threat the Soviets posed. Because of the terrorists' skillful use of low-tech capabilities (e.g., box cutters), their capacity for harm is essentially limitless. The United States therefore faces the far more difficult task of discerning their intentions. Where the Soviets created "things" that could be observed, the terrorists create transactions that can be sifted from the noise of everyday activity only with great difficulty. There can, therefore, be little doubt of the importance of research to better understand the value (or lack thereof) of sifting this mass of data. It is a problem of unprecedented scope, and one whose solution is imperative if American lives are to be saved.

The Total Information Awareness Program
The Department of Defense is experimenting with a number of possible technological approaches to solving this problem, collectively known as TIA.26 It is a research project to develop a variety of new software and hardware tools to improve the way the intelligence, counterintelligence, and law enforcement communities share information on suspected terrorist plans in order to prevent future attacks.

TIA can be a powerful collaborative network for agencies that have a counterterrorism mission. By fostering the sharing of information in existing databases, TIA can close the seams between organizations that have prevented early detection of foreign terrorists in the past. The program conducts research in issues relating to data search, pattern recognition, and information security. It is a multi-year feasibility study and development effort consisting of numerous related research initiatives that first began awarding contracts in 1997.27 A prototype of the more controversial technology is at least five years away.

This research has two intended uses: gathering foreign intelligence on non-Americans and gathering domestic information for intelligence and law enforcement purposes. The research also has two potential government applications: the relatively uncontroversial goal of establishing a much-needed intelligence fusion capability by permitting data integration from a variety of government-owned databases28 and the more controversial creation of a more efficient means of querying non-government databases holding information relevant to domestic terrorism investigations.29

The more controversial aspects of TIA relate to the second of these development projects insofar as it would operate domestically30--the effort to create technology to link databases and permit queries of those databases based upon models of potential terrorist behavior. As the accompanying appendix describes in substantially more detail, there are two aspects of this project: the development of the technological means for querying databases with widely varying data formats and the development of the technological means for conducting such queries while enhancing the privacy of the data being retrieved.

Terrorists preparing for an attack will leave an electronic trail of interactions with the government both outside (e.g., travel from Yemen to Germany) and within the United States (e.g., Customs declarations upon entry) through purchases, travel, and other activities, just as anybody else living in the modern world does. Through a subject-oriented query of databases containing this information, technology being developed by the IAO could be used to gain a more complete understanding of a suspect, his activities, and his relationships with others through an examination of this trail. Through a pattern-oriented query, TIA solutions linked to this information could be used to identify a terrorist based on intelligence data and detailed models of potential terrorist activities.31

Thus, for example, imagine if credible intelligence sources reported that the precursor components of Sarin gas were being smuggled into the United States by al-Qaeda operatives via flights originating in Germany during the month of February 2003. If TIA-based technologies were available today, a pattern-based inquiry of existing government databases might produce a list of non-resident aliens entering the United States during that period on flights meeting those specifications. This information might be cross-checked against other government databases identifying known or suspected terrorists. A subject-based data query might then be used to develop additional information about those identified as warranting further investigation. Their purchase, for example, of additional materials that might assist in the deployment of Sarin gas (canisters and the like) could conceivably be sifted from the information in non-government databases and used as a predicate for further investigation.

Because of the evident challenges to civil liberties that such capabilities would present, the TIA development program has built into its research agenda various measures designed to protect privacy by keeping personal data and irrelevant information out of government's hands. To insure this privacy protection, as part of its research, the IAO is developing technologies intended to prevent the examination of personal information and general misuse. These include, for example, information partitioning and selective revelation technology (that is, separating individual identification information from the underlying data). It also includes the increased use of filters and software to analyze data and remove information unrelated to the investigation.

The combined components of the TIA program would present the intelligence community with a powerful means to electronically intercept and process electronically stored data. Because of the potential power of these tools, the IAO is investing resources in technology that "can allow us to make substantial progress toward supporting both privacy and national security."32

OVERSIGHT AND LAW CAN SAFEGUARD CIVIL LIBERTIES

The first argument against the use of intrusive software and easier data collection technology in general--and TIA in particular--is the argument against expanding powers of the state. This argument has substantial historical foundation. The principal concern of many critics of TIA is not that the government is gaining access to more information than it previously had, but rather that the government's enhanced ability to quickly and effectively correlate disparate databases to which it already lawfully has access will increase the government's control and power over Americans' lives.

This concern is not unwarranted. One of the fundamental bulwarks of American liberty is the notion of a federal government of limited powers. The constitutional system of checks and balances is, in part, a recognition that individual liberty is advanced by structures that purposefully render government less efficient and thus more measured. Any enhancement of the government's ability to act is in tension with this venerable American tradition.

At the same time, however, one must also acknowledge the potential value of the increased efficiency in anti-terrorism investigations that would come from the ability to pose directed pattern queries to government databases. Consider, for example, the recent sniper attacks in the Washington, D.C., area--attacks that initially were thought to be linked to terrorism. There was ample information about the two killers in government databases that had been lawfully collected: the court order issued in Washington State; the fingerprints on the bullet in Alabama; and the traffic stop information collected on more than a dozen occasions by several law enforcement agencies in the Washington metropolitan area, to name but a few. Yet even these data (which nobody can doubt were appropriately collected in the government databases) were not accessible or integrated in a useable manner. Had, for example, the federal government had the capacity to make a simple query of local law enforcement databases--identify all cars about which more than five local data queries had been made since the attacks began--the snipers' car would have been identified as suspicious well before their capture actually occurred.

It is this sort of failure (typified by the inability to coordinate information gathered in Montgomery, Alabama, with that gathered in Montgomery County, Maryland) that TIA is intended to address.33 Perhaps this new tool will prove to be ineffective, but at its inception, it holds out significant promise.

How, then, can the fears of increased government efficiency and authority be addressed? Ultimately, it is not persuasive to argue that the prospect of increased efficiency and increased governmental power is so great a threat to civil liberties that all efforts toward an enhanced capacity for information fusion should be abandoned. The potential benefits are too substantial and the threat of further terrorist attacks on the United States too real and horrific to forsake all such effort. Even if the use of TIA were confined to examination of overseas databases containing information on non-Americans, it would offer significant benefits. Thus, the better response is to embrace the challenge of constructing a useful system to combat terrorism that has strong safeguards to protect against abuse. Among the safeguards:

• Require congressional authorization
  In light of the underlying concerns over the extent of government power, it is of paramount importance that there be formal congressional consideration and authorization of the TIA program, following a full public debate, before the system is deployed. Some of the proposed data-querying methods (for example, the possibility for access to non-government, private databases, which is discussed in the next section) would require congressional authorization in any event. But, more fundamentally, before any program like TIA--with both great potential utility and significant potential for abuse--is implemented, it ought to be affirmatively approved by the American people's representatives. Only through the legislative process can many of the restrictions and limitations suggested later in this paper be implemented in an effective manner. The questions are of such significance that they should not be left to executive branch discretion alone.

For that to happen, Congress must not strangle the program in the crib by means of an appropriations rider that stops research or development until Congress gets its act together. Such a rider may be well-intentioned, but it would have the effect of encouraging congressional delay and empowering a committed minority to employ various dilatory tactics to kill any eventual authorization. The threat of another horrific attack on America is simply too grave to justify prematurely cutting off such a promising anti-terrorism tool as TIA.34

• Maintain stringent congressional oversight
  In connection with the congressional authorization of TIA, Congress should also commit at the outset to a strict regime of oversight of the TIA program. This would include periodic reports on TIA's use once developed and implemented, frequent examination by the U.S. General Accounting Office, and, as necessary, public hearings on the use of TIA. Congressional oversight is precisely the sort of check on executive power that is necessary to insure that TIA-based programs are implemented in a manner consistent with the appropriate limitations and restrictions. Without effective oversight, these restrictions are mere parchment barriers. While potentially problematic, one can be hopeful that congressional oversight in this key area of national concern will be bipartisan, constructive, and thoughtful. Congress has an interest in preventing any dangerous encroachment on civil liberties by an executive who might misuse TIA.

The Heritage Foundation has written extensively on the need for reorganization of the congressional committee structure to meet the altered circumstances posed by the war on terrorism and the formation of the Department of Homeland Security.35 Oversight of any program developed by TIA would most appropriately be given either to the committee which, after reorganization, had principal responsibility for oversight of that Department or, if TIA is limited to foreign intelligence applications, to the two existing intelligence committees.

• Construct TIA to permit review of its activities
  To foster the requisite oversight and provide the American public with assurances that TIA is not being used for inappropriate purposes, the TIA program must incorporate, as part of its basic structure, an audit trail system that keeps a complete and accurate record of activities conducted using the technology.36 To the maximum extent practical, the audit system should be tamper-proof. To the extent it cannot be made tamper-proof, it should be structured in a way that makes it evident whenever anyone has tampered with the audit system. Only by providing users, overseers, and critics with a concrete record of its activity can TIA-developed technology reassure all concerned that it is not being misused.
• Limit the scope of activities for which queries of domestic non-government databases may be used
  TIA is a technological response to the new, significant threat of terrorism at home and abroad. After September 11, no one can doubt that domestic law enforcement and foreign intelligence agencies face a new challenge that qualitatively poses a greater threat to the American public than any other criminal activity.

U.S. foreign counterintelligence efforts are responding to a new and different form of terrorism and espionage. It is appropriate, therefore, that the use of TIA to query non-government databases be limited to the exigent circumstances that caused it to be necessary.37 Technology being developed for TIA to query and correlate data and uncover potential terrorist activity should be used (whether for law enforcement or intelligence purposes) only to investigate terrorist, foreign intelligence, or national security activities, and the TIA technology should never be used for other criminal activity that does not rise to this level.

It is important to be especially wary of "mission creep," lest this new technology become a routine tool in domestic law enforcement. It should not be used to fight the improperly named "war on drugs," combat violent crime, or address other sundry problems. While certainly issues of significant concern, none are so grave or important as the war on terrorism. Given the bona fide fears of increased government power, any systems that might be derived from TIA should be used only for investigations where there is substantial reason to believe that terrorist-related activity is being perpetrated by organizations whose core purpose is domestic terrorism.

The legislation authorizing TIA should enact this limitation. Congress should, therefore, specify that use of the TIA system is limited to non-government data inquiries that are certified at a sufficiently high and responsible level of government to be necessary to accomplish the anti-terrorism objectives of the United States. Only if, for example, a Senate-confirmed officer of the Department of Justice, Homeland Security, FBI, or CIA (such as an Assistant Attorney General or the FBI Director) certifies the objectives of the inquiry based upon a showing of need should one be made.

• Limit access to the results of the search
  A corollary to the need to limit authority to initiate an analysis using TIA is an equivalent necessity to limit access to the findings of any resulting analysis. It is unacceptable for the data and analysis derived from a TIA query, and linked to an individual identity, to be available to every Transportation Security Administration screener at every airport. Assuredly, after high-level analysis substantiates the utility of the information, it can be used to create watch lists and other information that can be shared appropriately within the responsible agencies. Until that time, however, access to the results of a TIA search should be limited, by the authorizing legislation, to a narrow group of analysts and high-level officials in those intelligence, counterintelligence, and law enforcement agencies.
• Distinguish between use of TIA in examining domestic and foreign activities
  In practice, it will be possible to use whatever technology the TIA program develops to unearth terrorist activity or conduct counterintelligence activity both abroad and domestically. As discussed below, existing law places significant restrictions on intelligence and law enforcement activity that addresses the conduct of American citizens or occurs on American soil. Conversely, fewer restrictions exist for the examination of the conduct of non-Americans abroad.

The development of TIA is not a basis for disturbing this balance and changing existing law. Thus, even if Congress ultimately chooses to prohibit the implementation of TIA for any domestic law enforcement purpose whatsoever (a decision that would be unwise), it would be a substantial expansion of existing restrictions on the collection of foreign intelligence data were it to extend that prohibition to use of the technology with respect to overseas databases containing information on non-citizens. At a minimum, in considering TIA Congress should ensure that, consistent with existing law, any program developed under TIA will be used in an appropriate manner for foreign intelligence and counterintelligence purposes.38

• Impose civil and criminal penalties for abuse
  Most important, all of these various prohibitions must be enforceable. Violations of whatever prohibitions Congress enacts should be punishable by the executive branch through its administrative authority. Knowing and willful violations should be punishable as crimes. These forms of strong punishment are a necessary corollary of any TIA authorization.

In addition, Congress should enlist the third branch of government--the courts--to serve as a further check on potential abuse of TIA. As is detailed below, the courts will be involved in challenges to TIA information requests. To insure effective oversight of the use of TIA by the courts, Congress should also authorize a private right of civil action for injunctive relief, attorneys' fees, and (perhaps) monetary damages by individuals aggrieved by a violation of the restrictions Congress imposes.39

• Sunset the authorization
  Any new law enforcement or intelligence system must withstand the test of time; it must be something that the American public can live with, since the end of the war on terrorism is not immediately in sight. Congress should be cautious, therefore, in implementing a new system of unlimited duration. It is far better for the initial authorization of TIA to expire after a fixed period of time so that Congress may evaluate the results of the research program, its costs (both public and private), and its long-term suitability for use in America. A sunset provision of five years would be ample time for Congress to gather concrete information on the program. With such information, Congress will be in a position to continue, modify, or terminate the program as it deems appropriate.

LIMIT GOVERNMENT ACCESS TO DOMESTIC INFORMATION DATABASES

The second root of public concerns about the development of TIA lies in the fear that the government will gain access to data to which it does not now have access. TIA should not be a vehicle for expanding the government's storehouse of information about individuals. Rather, appropriately conceived, TIA should mirror existing legal limitations. It should neither expand nor contract the corpus of data available for analysis.

Overview of the Technology

TIA's overall goal is to promote the more efficient transfer and analysis of information in a secure, collaborative, virtual community in order to advance more effective and rapid decisionmaking. Despite information in recent press reports, the aim is not to give government access to any information to which it does not already have legal access, but rather to promote the more efficient use of the information that it already possesses or has the authority to receive. To increase efficiency, research efforts are focused on developing (1) a means of data integration that does not require the physical transfer of data from one repository to another and (2) advanced analytical models that will conduct much of the initial processing of scanned and extracted data.

Technology being developed through the TIA program would be crucial to developing an intelligence fusion capability to remedy the intelligence failures exhibited prior to September 11, 2001. An intelligence fusion center57 would focus on integrating information from many sources in order to break down the bureaucratic cultures that have prevented effective information sharing in the past. Such a facility should utilizing advanced data-integration and automated data-mining technology to speed the process and make sense of otherwise disparate bits of information. Specifically, a successful fusion capability must (1) include access to and the ability to explore all government databases, including intelligence, regulatory, and law enforcement as described in the body of this paper; (2) integrate the information found in those databases to be usable by individual analysts; (3) make automated independent judgments about that information; and (4) and allow analysts to provide more complete and accurate warning.58

One area on which DARPA is focusing significant effort is more advanced techniques for data mining. Data mining or knowledge discovery, according to David Jensen of the University of Massachusetts, uses "algorithms [to] discover useful, previously unknown knowledge by analyzing large databases."59 The health care industry uses data mining to predict a patient's chances of survival as an aid to better prioritization. Likewise, for intelligence purposes, data-mining technology can allow an intelligence analyst to focus his or her attention on the most relevant information. However, current data-mining systems are insufficient for countering terrorism because they assume that data sets are made of unrelated cases, whereas uncovering existing relationships is crucial to terrorism investigations.60 The TIA program is working to develop data-mining or knowledge discovery programs to uncover relationships.

Contrary to recent media reports, one of the TIA program's primary goals is to develop a method of making information stored electronically in a database available to users linked to that database without having to download it into a central repository or distributed data warehouses that would function as a single entity. Investigating terrorism with the goal of preventing future attacks will require intense sharing of data among agencies in an efficient and rapid fashion.

Attempting to consolidate the terrorism-related information held in a variety of government and commercial databases through existing technology would create a number of problems. Specifically:

• Adding new interfaces to link existing databases limits scalability, as every database will require that new interfaces be added for it to be able to communicate. Eventually, the network is likely to become incredibly complex and cumbersome.
• Development of software that can translate a query into a format that multiple databases can understand is possible
  This removes the need to modify existing systems. However, it does not reduce the complication associated with adding interfaces; instead, it transfers the same problems to the linking software.
• The final option is to reformat data into a re-engineered database--a process that is both excruciatingly slow and cumbersome.61

To overcome these limitations, the IAO is attempting to develop a means of integrating information without removing it from its original sources. This will depend in part on the IAO's ability to develop query methods that do not need either to know where the data are located or to reference specific fields.62

Merely giving an analyst access to numerous sources of data offers little value, however, as it offers no way to determine what information should be looked at and what should be ignored. The IAO is attempting to develop models that software can use to analyze raw data for relevance. The models the IAO envisions will be baskets of detailed information about terrorist activities, the patterns they follow, and their methods of operation.

TIA technology is being tested by the IAO using synthetic data based on past experience and simulated terrorist activities. These tests will allow analysts to determine the specific information encapsulated in each model. If applied in the real world, models would be based on law enforcement data and intelligence information related to past investigations of terrorism. In addition, the IAO is attempting to develop a way for models to evolve continually as new knowledge becomes accessible. For example, if new patterns of activity were uncovered during the course of an investigation, the computer's models would be updated as appropriate.

The models being researched under TIA are intended to be much more comprehensive than the limited profiles that are used today and frequently discussed in the press, such as the invidious use of race or national origin as a proxy for terrorist threats. Ultimately, more sophisticated models will be used to determine what information to extract from databases through queries and to evaluate the relationships among people, organizations, and activities that may be indicated by that information.63

The IAO is attempting, through these advanced analytical models, to improve the way the information is queried so that analysts see only data relevant to the terrorism investigation they are conducting. This will allow for more rapid understanding and analysis by reducing the amount of unrelated material that each analyst must analyze. TIA is being designed to allow an analyst to conduct two kinds of queries: subject-oriented, which focus on an individual suspect, and pattern-oriented, which look at suspected activities. Both types of searches will utilize models to provide more detailed results by providing information that is within the context of modeled terrorism profiles and limited to data that are directly related to the investigation.

The IAO is also researching ways to include credentialing when an analyst submits a query. Inclusion of this information could be used to limit access to government information to those who have a specific need to know and conceivably to ensure that appropriate legal authority has been granted to search commercial data. By developing more advanced query methods, the IAO is seeking to move beyond the current limitations in data profiling that have been criticized since September 11 (i.e., providing additional scrutiny to airline passengers who purchase tickets with cash at the last minute) and to replace them with detailed, complex queries based on actual intelligence through modeling and other sets of conditions.

A crucial distinction needs to be made between what TIA is designed to do and what its opponents have described as its purpose. Critics have claimed that TIA-based networks will look for unusual relationships or patterns in order to identify terrorists without reason to initiate an investigation. Both the public and private sectors frequently use existing technology, including data-mining technology, to identify potential targets (whether for investigation, advertising, or other purposes). These efforts are limited to looking for specific actions such as purchasing airline tickets at the last minute, past criminal activity, and racial profiling.

This option, however, was rejected by the IAO, which is attempting to replace today's limited electronic profiling methods that frequently result in false positives with more detailed analysis of transactional relationships. During the DARPATech 2002 symposium, Evidence Extraction and Link Discovery (EELD) program director Ted Senator discussed the different means that could be used to analyze transactional information:

Much technology exists to implement the first approach [searching for unusual relationships]. While it can find groups of people who appear to be linked together, it tells us nothing about whether their activities are legitimate or suspicious. It also requires us to make many assumptions about the prior joint probability distributions, such as the likelihood that two people will happen to be at a particular airport together. And there are important and legitimate legal and policy constraints that prohibit its [the technique of looking for these kinds of relationships] widespread use.

Monitoring data streams for indicators of activity can suffer from the limitations of traditional fraud detection techniques and also can be limited to finding instances of previously known or suspected types of threatening behavior. Criteria for new types of threatening behavior can be incorporated after they are discovered, typically after a small but significant number of instances of that behavior surface. This reaction time, of allowing for a small number of new types of incidents before updating the automated system, may work for domains where the goal is preventing most illicit behavior most of the time, such as credit card fraud, but is not acceptable for the one-time rare events of such magnitude that we experienced on September 11.64

Instead, the IAO intends to use the models it is developing to sort through information. While DARPA is testing the feasibility of the concept, these models will be based on synthetic data and "red team"65 simulations of terrorist activity. If applied in the real world, models would be based on law enforcement data and intelligence information related to past investigations of terrorism.

Since the modeling programs will be based on known intelligence, lessons learned from past investigations, and detailed simulations, they should overcome many of these limitations. Doing so will improve the effectiveness of an investigation by reducing the number of innocent people targeted during an investigation--a fact that is also more friendly to a free society than are today's limited generalizations.

TIA's Efforts to  Promote Intelligence Sharing

In the past year and a half, it has become abundantly clear that better intelligence sharing might have helped to prevent the terrorist attacks on the World Trade Center and the Pentagon on September 11, 2001. Multiple FBI field offices were conducting investigations related to Arab students at U.S. flight schools; the CIA was monitoring the foreign activities of two of the perpetrators; five were on other government lookout lists; and three had even been stopped by police for traffic violations shortly before the attack. None of these agencies, however, was aware of related activities occurring elsewhere. Even information that should have been shared, such as the names of the terrorists the CIA was tracking, was hoarded. The most effective way to promote information sharing would be to automate the process through the establishment of an intelligence fusion center.66

In response, the IAO is continuing over six years of DARPA research on how to use highly advanced information technology solutions to better share and analyze intelligence in order to provide tools to combat terrorism more effectively. Currently, analysts spend hours reading intelligence reports, potentially only to digest a small amount of information relevant to an ongoing investigation. Instead of relying on the electronic or physical transmission of intelligence reports, which analysts will then have to read in order to discover what could be only a small bit of information, the TIA program seeks to provide a quicker mechanism for providing analysts with information specifically related to their needs.67

The goal is to use the advanced data integration and analysis tools the IAO is researching to ensure that an analyst has access to the full scope of information the federal government is holding related to their case, to form a virtual network of analysts studying the same issue across agency lines, and to take some of the analytical burden off of the analyst by conducting some of the initial research and data collection. With these services provided, intelligence analysts will be able to focus more on assessing threats and developing recommendations for policymakers.

The first step in this process was to create a virtual environment in which information can be exchanged within ad hoc electronic interagency teams that emerge to study an issue. This was the purpose of project Genoa, launched six years ago and completed by the IAO last year. The knowledge gained under project Genoa is what is currently being integrated into operational computer systems and subjected to field-testing with the Army intelligence community.

This program still requires an individual analyst to provide information to the virtual community. but it also establishes a situation in which they are more likely to realize that such information should be shared and allows information to be shared among a virtual team with the approval of the person or agency holding the information. Genoa technology is being used today in a fashion that falls short of full intelligence fusion; but if used throughout the counter-terrorism community, it would solve some of the most pressing communication problems that occurred before September 11.68

The ultimate goal of DARPA's ongoing research in its TIA program is to automate much of this process. In particular, the IAO's Genoa II project is researching ways to automate the excavating and initial analysis of relevant information from that held by the linked community and then to capture the knowledge gained by an analyst to support future study. Under the IAO's vision processes, such as the translation and finding of stored data, checks for relevance and the development linkages would occur electronically, allowing an analyst to focus on studying the meaning of the data to establish whether or not a threat exists and then formulate recommendations for policymakers. Research being conducted on modeling, data linking, and other analytical tools will be crucial to this effort.

Using TIA to Query Government and Non-Government Databases

Most of the controversy that has emerged over TIA in the past three months has been related to possible use of the technology being developed by the IAO as a new investigative tool to search commercial transactional data such as, for example, credit card purchases, airline reservations, and Internet activities. Terrorists preparing for an attack will leave an electronic trail of purchases, travel, and other activities just as anybody else living in the modern world does.

Currently, law enforcement agencies can obtain this information legally through the subpoena process. However, without a real-time connection, the information may not be as up-to-date as possible. Improving law enforcement's access to the most current and accurate data could prove a valuable tool for investigating terrorism.

Technology being developed by the IAO to allow subject-oriented queries of data could be used to gain a more complete understanding of a suspect, the suspect's activities, and his or her relationships with others through a search of this trail. Through a pattern-oriented query, TIA solutions linked to this information could be used to identify a terrorist based on intelligence data and the detailed models discussed above. In both cases, established legal and policy guidelines for viewing commercially held data would still have to be followed.

This aspect of TIA would rely on the integration of information held in non-government private databases through a technique similar to but more capable than (and more respectful of individual privacy than) the data-integration and data-mining technology commonly used in the private sector. Data integration and data mining generally refers to the process of extracting, analyzing, and categorizing information from large quantities of stored data. These data can include facts, numbers, or text that is processed by a computer and then typically accumulated and stored in a separate database warehouse. The analysts or users of such a computer can then identify correlations, relationships, or patterns within the large amounts of data.

In the commercial world, data mining can serve many functions: It allows, for example, Amazon to pitch a particular book to you as one you are likely to enjoy based on your past purchases. But it also allows your credit card company to combat fraud by noting anomalous large purchases that may well be the product of stolen credit card data.

TIA, in contrast with commercial data-mining systems, is not being developed to download and centrally store raw data. The accumulation and storage of vast amounts of information runs contrary to the basic purpose of TIA, which is to facilitate an analyst's access to relevant information by insuring that pertinent data are not buried under mounds of useless records. Similarly, traditional data-integration methods would be of little value because the information extracted under these techniques would be outdated as quickly as it could be downloaded, reformatted, and made accessible to an analyst.

TIA will also differ from existing data-mining technology by relieving the user of the need to assess the raw data for relevance. It will do this by using electronic modeling and filters to provide analysts only with specific, detailed information related to their requests: a development that could contribute significantly to the protection of personal data by insuring that human agents review only data that exhibit substantial indicia of relevance to terrorist activity.

The IAO intends to establish this link by developing an "appliance" consisting of software and hardware to analyze the information stored in a data warehouse for relevance and--after any private information is filtered out--make that information electronically accessible to the analyst initiating a query. The appliance would be responsible for confirming the credentials of the user attempting to access it; applying the appropriate rules for its use (based on existing legal and policy constraints and such additional constraints as Congress may see fit to impose); searching the data; determining what may and may not be released; removing private information; and beginning an audit trail.

This process will allow for the greater protection of irrelevant personal information than is provided by the way in which government currently accesses such information through a subpoena. While this is an important component of TIA's research agenda, TIA has barely begun to study its feasibility.

Exactly what databases would be accessed by the technology the IAO is attempting to develop has not yet been determined. Clearly, not every transactional record held by the private sector would contribute to terrorism investigations; but a wide variety, such as financial and travel records, could prove crucial. DARPA has commissioned RAND to study what data should be made available to investigators using TIA technology and the National Academy of Sciences to study the policy implications of such advanced information technology. For research purposes, the IAO plans to create a simulated virtual world made up of imaginary transactional data in which it can test its concepts. DARPA will test the feasibility of the concept and turn it into a working prototype.

As we have set forth more fully in the body of this paper, policymakers and elected officials will have to make a final determination as to what databases may be accessed, what to exclude, and who should have access to TIA technology as an investigative tool.

DARPA's Technical Efforts to Protect Privacy

Protecting individual privacy is an integral part of DARPA and IAO research efforts. Accordingly, the IAO has noted,

The Information Awareness Office at DARPA is about creating technologies that would permit us to have both security and privacy. More than just making sure that different databases can talk to one another, we need better ways to extract information from those unified databases, and to ensure that the private information on citizens is protected.69

Because DARPA is a research and development agency, its efforts in the area of privacy protection are technological and are focused on developing information technology solutions, such as TIA, that can be utilized in a manner that is consistent with American law and respects American civil liberties. As part of its research on privacy solutions, the IAO is developing technologies directly intended to prevent the divulging of personal information and general misuse, including information-partitioning and selective-revelation programs, and filters and software to analyze intercepted data and remove information unrelated to the investigation.

Information partitioning would protect privacy in two ways. First, it would block an analyst from seeing personally identifying information such as names, addresses, and Social Security numbers unless legal authority--such as a Foreign Intelligence Surveillance Act (FISA) warrant--is granted to access it. Indeed, blocking private information collected incidentally is a priority for DARPA generally.

Research on selective revelation recommended by the Information Science and Technology (ISAT) Panel's "Security with Privacy" study and included in TIA would develop barriers between the analyst and the data to prevent access to private information stored in either a government or a commercial repository. The ISAT Panel described how selective revelation could work in practice:

An analyst might issue a query asking whether there is any individual who has recently bought unusual quantities of certain chemicals, and has rented a large truck. The algorithm could respond by saying yes or no, rather than revealing the identity of an individual. The analyst might then take that information to a judge or other appropriate body, seeking permission to learn the individual's name, or other information about the individual.70

Such a capability would allow federal agencies to use TIA in a manner consistent with existing U.S. privacy laws. The IAO's information-partitioning research could also be used to ensure that those who have access to a network are able to retrieve only information that they have a need to see, providing an added layer of security against misuse.

The Genisys Privacy Protection program is developing filters to record only information allowed by law and other federal guidelines. Filters are commonly used for a variety of purposes to limit information retrieved in response to a query. However, a filter by itself is an insufficient guarantor of civil liberties, as it is only as good as its programming. Simple problems such as a misspelling can inhibit the usefulness of filters while--more important--complex rules may not be readable by both a computer and a person. The ISAT Panel has recommended additional research into rule writing that would be readable by both.

Since a filter may not catch everything, Genisys is also developing a combination of software and hardware that would use models, as discussed earlier, to analyze incoming information for relevance and expunge irrelevant information. This process would occur before an analyst receives a response to a query and would increase both the efficiency of the analyst's search and the protection of individual privacy by providing only relevant information. Using the ISAT Panel's previously described example of a search on individuals purchasing certain chemicals and renting a truck, these solutions could further limit the results produced to those that fit detailed knowledge about terrorist purchasing habits that could be included in the modeling software.

The IAO is researching more tamper-evident and tamper-resistant information repositories to allow for more timely and accurate auditing of use. TIA is being designed to identify users, create an audit trail, and govern the information that is available. These efforts are being designed to monitor not only when users log on and what they do while connected, but also to track how the information is used and where it goes after it is received.

Monitoring how an analyst will use TIA technologies will make it easier to identify potential misuse and quickly take appropriate disciplinary action as required. In many cases, detailed auditing may deter misuse; in others, it will facilitate catching those responsible. Sufficiently secure auditing technologies such as this would contribute greatly to internal and external oversight by either making evident or preventing unauthorized use.