By Cynthia L. Webb
washingtonpost.com Staff Writer
Thursday, May 27, 2004; 4:05 PM

The question of whether privacy and technology can be reconciled has become one of the 21st century's biggest dilemmas.

First it was the debate over the Patriot Act and its provisions granting law enforcement vast new powers to surveil electronic communications. The privacy advocates lost that fight in the immediate aftermath of the Sept. 11 terrorist attacks.

After that, the tide appeared to shift a bit. The Total Information Awareness project, envisioned by the Pentagon's high-tech research arm as a system to mine information from databases worldwide to detect potential threats, was derailed last year after media reports sparked a public outcry.

The privacy vs. technology debate made the headlines again last week when the American Civil Liberties Union reported that what was supposed to be a state-led anti-crime database effort was actually heavily supported by the federal government. The so-called Matrix program, the ACLU said, not only received millions in federal support, but the contractor who helped build the system gave the feds and Florida officials a list of 120,000 people who fit the profile of a "potential terrorist."

It's hard to say what effect the ACLU report will have on Matrix's future -- Eleven of the 16 states originally on board for the Matrix pilot program have already dropped out over concerns about how information would be stored in the system's central database. But today's New York Times reminds privacy advocates that they've got a huge challenge cut out for them.

Uncle Sam, it turns out, has been quietly rolling out scores of programs that sniff for personal data. "A survey of federal agencies has found more than 120 programs that collect and analyze large amounts of personal data on individuals to predict their behavior. The survey, to be issued Thursday by the General Accounting Office, an investigative arm of Congress, found that the practice, known as data mining, was ubiquitous," The New York Times reported today. "In canvassing federal agencies, the accounting office found that 52 were systematically sifting through computer databases. These agencies reported 199 data mining projects, of which 68 were planned and 131 were in operation. At least 122 of the 199 projects used identifying information like names, e-mail addresses, Social Security numbers and driver's license numbers."

According to the Times, the GAO report "provides the first authoritative estimate of the extent of data mining by the government. It excludes most classified projects, so the actual numbers are likely to be much higher." The top data-miner? "The Defense Department made greatest use of the technique, with 47 data mining projects to track everything from the academic performance of Navy midshipmen to the whereabouts of ship parts and suspected terrorists." And, the Times noted, the "Defense Intelligence Agency mines data from the intelligence community and searches the Internet to identify people, including United States citizens, who are most likely to have connections to foreign terrorist activities."

Reuters said several of the data-mining efforts detailed in the GAO report "appear to be patterned after Total Information Awareness, which critics said could have led to an Orwellian surveillance state in which citizens have little privacy. 'I believe that Total Information Awareness is continuing under other names, and the (Defense Department) projects listed here might fit that bill,' said Peter Swire, an Ohio State University law professor who served as the Clinton administration's top privacy official."

Sen. Daniel Akaka (D-Hawaii), who requested the GAO report, posted a statement about it on his official Web site.

Back to the ACLU report. Matrix, short for Multistate Antiterrorism Information Exchange, was launched after the Sept. 11 attacks with support from the Justice Department. The ACLU has two main concerns about the program: That the Department of Homeland Security quietly gave millions to support Matrix and may have been actively engaged in administering the program; and that the Matrix's primary contractor -- Boca Raton, Fla.-based Seisint Inc. -- generated a list of potential terrorists shortly after Sept. 11 and gave that information to the government.

The ACLU appears to be most concerned about how Seisint was able to generate a list of 120,000 terrorist suspects and whether or not the current Matrix system continues to prowl through personal data to see if other Americans fit a terrorist profile is what really has the ACLU's hackles up. "We believe the entire method is flawed. Terrorists can't be identified by a quotient, and the process makes every American suspect," Christopher Calabrese, counsel for ACLU's technology and liberty program, told Washington Technology. "Terrorists are stopped by basic police work. Coming up with a computer program doesn't work. At this point, they've not convinced us."

The Miami Herald last Thursday reported that "MATRIX in its current state contains nothing police can't get from other sources, ACLU officials acknowledge. Still, the fact that it once used other 'investigative data' to compile lists of potential terrorists is cause for concern," the ACLU's Barry Steinhardt told the paper. "'It could be reactivated at any time. We're saying the federal government should cut off all funding to the program,' he said. MATRIX denies any intent to continue making lists of potential terrorism suspects."

The ACLU has posted a lot information about Matrix on its a Web site, including the full report of its investigation. The ACLU specifically called on Homeland Security privacy czar Nuala O'Connor Kelly to investigate the agency's involvement in the Matrix program. Meanwhile, the ACLU also issued a statement praising the newly released GAO report on government-wide data-mining programs.

Steinhardt joined washingtonpost.com for a Live Online discussion today about Matrix and other government data-mining projects.

The Associated Press was the first outlet last week to report on federal involvement in the Matrix program. As the piece makes clear, Seisint's method for scanning data for signs of terrorist tendencies is what stoked the federal government's interest. "Public records obtained by The Associated Press from several states show that Justice Department officials cited the scoring technology in appointing Seisint sole contractor on the federally funded, $12 million project. Seisint and the law enforcement officials who oversee Matrix insist that the terrorism scoring system ultimately was kept out of the project, largely because of privacy concerns. However, new details about Seisint's development of the 'terrorism quotient,' including the revelation that authorities apparently acted on the list of 120,000, are renewing privacy activists' suspicions about Matrix's potential power," The AP reported.

The Matrix supporters, however, indicated to the AP that the system no longer uses the scoring system used to develop the controversial terrorist watch list. "Bill Shrewsbury, a Seisint executive and former federal drug agent, said the terrorism scoring algorithm that produced the list of 120,000 names was 'put on the shelf' after it was demonstrated immediately following Sept. 11, 2001. He said the scoring system requires intelligence data that was fed into the software for the initial demonstration but is not commonly available. 'Nor are we interested in pursuing that,' he said," the AP reported.

A pick-up of The AP article by Dow Jones Newswires gave more details on how the terrorism-rating quotient netted results for Matrix and Seisint. "Although Seisint says it shelved the scoring system -- known as high terrorist factor, or HTF -- after the original demonstrations in the wake of Sept. 11, 2001, the algorithm was touted well into 2003. A records request by the AP in Florida turned up 'briefing points,' dated January 2003, for a presentation on Matrix to Vice President Dick Cheney and other top federal officials delivered jointly by Seisint, Florida Gov. Jeb Bush and Florida's top police official. One of the items on Seisint's agenda: 'Demonstrate HTF with mapping.' Matrix meeting minutes from February 2003 say Cheney was briefed along with Homeland Security Director Tom Ridge and FBI Director Robert Mueller."

The Web site for the Matrix program has a page listing "misconceptions" about the program. Top items on its list of facts intended to correct the public record? "MATRIX is controlled by the participating states and not a vendor," and, "MATRIX is not a data mining application."

The Matrix site also has a list of the five states currently participating in the project, along with a spring 2004 newsletter offering more clarifications. The site bills Matrix as a "pilot information sharing project" that is designed to help with the exchange of "sensitive terrorism and other criminal activity information between local, state, and federal law enforcement agencies."

Guy Tunnell, head of the Florida Department of Law Enforcement and chairman of the Matrix executive committee, fired off a letter last year in response to a Florida Today article on Matrix. Excerpt: "MATRIX is an improved 'tool' for investigators, not a substitute for the investigation itself. It is investigator-driven, not automatic. The system does not allow indiscriminate surveillance of one's activities and it does not 'monitor' individuals. Inquiries will be driven by actual criminal investigations or by reason of following up on active criminal intelligence or domestic security threat information, and the use of MATRIX will be monitored to guard against inappropriate or unauthorized use. MATRIX simply provides access to information in a centralized fashion that is already available to investigators at individual sites today." See the complete letter on the Matrix Web site.

The Tallahassee Democrat offered up a thorough report last Saturday on Seisint founder Hank Asher's questionable background. Asher, who demonstrated Matrix's powers to Vice President Cheney and the nation's other top security and law enforcement officials, "resigned from the company in August after the [Florida Department of Law Enforcement] questioned his background during negotiations on a $1.6 million state contract related to Matrix. Asher was identified as a pilot in several drug-smuggling cases prosecuted in the 1980s. He was never charged with a crime but became an informant for state and federal agencies."

Other outlets have reported on Asher's shady past too, but the Tallahassee article offered a twist in its piece, noting that Florida Gov. Jeb Bush "didn't know of the Boca Raton millionaire's drug involvement when he and then-FDLE Commissioner Tim Moore pitched Seisint to federal officials. Asked if he would have done so if he had known, Bush nodded. 'Yeah, because the company itself has a great piece of technology that has been used in the public sector and the private sector,' he said. 'It's a Florida-based company and during that time -- particularly after Sept. 11 -- it was important for policy makers to be aware of the kind of technology that would assist us in the fight against terror. So I would have done it.'"

Perhaps in a bid to win states back into the Matrix fold, the federal government wants to give states more control over the data they collect, according to a Washington Technology article that ran early this week. Long before the ACLU report was released, Matrix "ran into legal and political snags when many of the participating states became concerned that individual state laws would not allow them to transfer information about their citizens to the network's central repository in Florida. Some states also cited costs as a reason for leaving the project."

Now, Washington Technology said, "federal officials advising the Matrix board of directors propose a so-called distributed approach rather than a centralized approach to data storage for the network. Under the new approach, each state would have its own repository from which it could exchange information with other participating states. ... The information would not have to be exported from states that want to participate under the new model, said Bruce Edwards, a policy adviser with the Bureau of Justice Affairs."

Miami Herald columnist Jim Defede on Tuesday explained that the "ACLU sees the MATRIX and programs like it as being a threat to our rights of privacy. Asher, MATRIX's creator, responds by saying: 'The concept that a terrorist has an expectation of privacy is bizarre to me.' Unfortunately, Asher misses the point. It's not the rights of the would-be terrorist I'm worried about. It's the rest of us. What happens to the other people who wind up on these lists -- the vast majority of whom are not terrorists? The ACLU fears that once the lists are created, they will live on forever," the article said. "Asher says he is sympathetic to the ACLU's concerns. 'Do I think there is a danger if the data is in the wrong hands? Absolutely,' he says. 'But I think there is a bigger danger if the data is not in the right hands.'"

Seisint may get some competition when it comes to powering the government data-mining needs. The Washington Post reported that Matrix "[o]rganizers intend to ask other data services for proposals to create other Matrix-like systems later this year, in part to create competition, said Mark Zadra of the [Florida Department of Law Enforcement]. Currently, Matrix operates under a sole-source contract with Florida."

One company already on the scene is Knowledge Computing Corp. of Tucson, Ariz., maker of software called Coplink that scours crime records to help connect the dots between people and events. It uses data management and artificial intelligence technology. "It's a tool intended to help authorities investigate rapes, murders and other crimes far more quickly than they can today," the Lawrence (Kansas) Journal World reported last August. "Coplink works by sifting through a database of all sorts of police records -- from traffic stops to murder investigations -- to deliver a list of leads in just seconds. The same kind of process now takes hours or even days of a detective's time -- when it is possible at all," the article explained. The company has posted a list of law enforcement agencies that are using its software.

"The software's powerful capabilities are a concern for Ari Schwartz, associate director of the Center for Democracy and Technology in Washington, D.C., which monitors privacy issues. But Coplink doesn't cause him as much worry as other post-Sept. 11 law-enforcement database plans," the Journal World reported in its piece last year. "Because Coplink is geared toward processing information already in law enforcement's hands, 'there's less of a chance for fishing expeditions,' Schwartz said."

The Los Angeles Times yesterday wrote about the data-mining topic. One interesting nugget in the piece: "[A] soon-to-be-released report from a panel created by Defense Secretary Donald H. Rumsfeld recommends that the Defense Department take steps to ensure privacy when mining data to fight terrorism. The report also urges Congress to pass stronger privacy laws and calls on the courts and the president to take action to protect Americans in the face of new information-gathering technologies that make anti-terrorism privacy issues 'not the tip of the iceberg, but rather one small specimen in a sea of icebergs.'"

The federal government's plans to create a system to track foreign visitors to the United States -- the Department of Homeland Security's US-Visit Program -- has raised the ire of technology columnist Dan Gillmor of The San Jose Mercury News. In a column this week, Gillmor says of the program: "In theory, the proposed system -- combining database mining, biometric tracking (including radio chips in passports) and other technological measures -- would help U.S. authorities spot some bad guys. In practice, it'll undoubtedly crumble under the weight of administrative woes and the vast number of 'false positives' (tagging innocent people as suspects) that will make identifying actual bad guys almost impossible. But even it did work, we would be wise to ask ourselves a few questions before spending those billions. Such as: Will this just be another deterrent to doing business? And: If we build a surveillance system that can track foreigners so efficiently, how long would it take for the same technology to be used to track American citizens? Various arms of government, notably state drivers licensing agencies at this point, are moving us surely toward a national ID card -- an internal passport."

E-mail government IT tips, comments and links to cindyDOTwebbATwashingtonpost.com