Oct 08 2008
A government panel released a report yesterday that says that data mining, at least the way the government does it, doesn’t catch terrorists. Their findings show that pattern-based data mining, looking for a related set of activities, won’t catch terrorists because they’re each person is too unique and they’re doing everything they can to blend in with the crowd. The sort of information provided by the Total Information Awareness is more likely to end up in misidentification of legitimate citizen activities rather than positive identification of terrorists. Which is exactly what Bruce Schneier has been saying for years.
The National Research Council has a number of suggestions, which include evaluating the effectiveness and lawfulness of a program like TIA before it ever goes into production. Imagine that, a government that actually weighs the trade-offs between the effectiveness of a program versus the loss of privacy and civil liberties! Instead of screaming that they need to know everything about our personal lives and telling us not to questions, they’d actually evaluate if the measures actually do what they’re claiming. Not that we’ve seen much of that in the last few years, but it is a pleasant daydream.
Data mining is a tool, nothing more or less. But for the finding terrorists, it’s an ineffective tool. One of the findings after 9/11 was that we’d spent too much time and energy relying on technology to find evil-doers; it’s the human factor, people on the ground, that find terrorists, not computers. While computers can tell us a lot about someone’s online activities, if someone is trying to hide what they’re doing, it’s only by actually following and monitoring a person in the real world that will reveal their intent.
Data mining is nice because it presents the illusion of doing something. Collecting tons of data, looking at the pretty lights on the computer blink and then getting a name spit out on a punch card is impressive, but only if it really works. And since most people don’t understand the process, especially politicians, it provides a smoke screen that looks like actual work. But when you look behind the screen you realize it’s just providing a lot of data without real information being involved. To paraphrase Schneier, “If you think data mining is the only solution to your problem, you don’t understand data mining and you don’t understand your problem.”
I like the suggestions the panel came up with; any data mining program needs to be carefully evaluated before it’s implemented, it has to be reviewed once it’s actually deployed and it needs to be periodically reviewed to ensure that it’s actually doing what it was intended to do. Data mining does have a place in the ‘anti-terrorism toolkit’ but what we’re currently seeing the government doing verges on being Orwellian. I’m tired of hearing “Trust us, it’s all for your own good.” I’m a security professional; I don’t trust anyone without a full explanation of what they’re trying to do. My wife hates that.