A few days ago, we highlighted the drastic privacy implications of new guidelines issued to govern data-mining by the National Counterterrorism Center (“NCTC”). Yesterday, we testified to Congress about the problems with the guidelines, and we filed three Freedom of Information Act (“FOIA”) requests to learn more about how the guidelines will affect the privacy of millions of Americans.
As we explained before, under the new guidelines approved by the Attorney General, the NCTC may aggregate federal databases consisting mainly of information about Americans with no connection to terrorism and then analyze those databases and disseminate the results for reasons also unrelated to terrorism. What databases will NCTC aggregate? We don’t know yet, but in our FOIA requests we’ve asked for details. What we do know is that the federal government collects an enormous amount of personal information for myriad reasons. Think about your healthcare services, business licenses, gun permits, welfare benefits, voting registrations, and employment records.
Under the new guidelines, the NCTC could potentially combine all the databases that store that sensitive and private information into a single, massive searchable and data-minable database.
The guidelines accomplished this sweeping transformation of the NCTC’s data-mining abilities primarily by allowing the NCTC to intentionally collect data on U.S. citizens and residents even where those people have no suspected ties to terrorism, and to keep that data for 5 years (up from 180 days).
Hidden by the dry technical details of the new guidelines is what we called a “reboot of the Total Information Awareness Program” roundly rejected by Americans after 9/11. Here is how my colleague, Chris Calabrese, described one of the main problems with the guidelines in his written statement to Congress:
In what is perhaps the most significant change, the Obama administration has extended the authority of the NCTC to intentionally collect, retain and assess data on U.S. citizens and residents, even where those people have no suspected ties to terrorism. Previously, the intelligence community was barred from collecting information about ordinary Americans unless the person was a terror suspect or related to an actual investigation. Therefore, when NCTC collected information from federal government databases, it had to search for and identify any innocent US person information inadvertently collected, and discard it within 180 days. This crucial purpose limitation meant that NCTC was dissuaded from collecting or maintaining information on innocent Americans in its large databases, and prohibited from using or disseminating it. The 2012 guidelines eliminate this check, allowing NCTC to collect and “continually assess” information on innocent Americans for up to five years.
Chris went on to describe the NCTC’s alarming new powers under the guidelines to mine the data it has aggregated:
Once NCTC acquires this information, the new guidelines give it broad new powers to search through it. As long as queries are designed to solely identify information that is reasonably believed to constitute terrorism information, it may conduct queries that involve non-terrorism data points and pattern based searches and analysis (data mining). It is particularly noteworthy that NCTC relies on a technique, data mining, which has been thoroughly discredited as a useful tool for identifying terrorists. Data mining searches are notoriously inaccurate and prone to false positives, and it is therefore very likely that individuals with no connection to terrorism will be caught up in terrorism investigations if this technique is utilized. As far back as 2008 the National Academy of Sciences found that data mining for terrorism was scientifically “not feasible” as a methodology, and likely to have significant negative impacts on privacy and civil liberties.
You can read Chris’s full statement to Congress here.
The three FOIA requests we filed yesterday seek more information about the government’s claimed need for the updated NCTC guidelines and the likely impact on the privacy of millions of innocent U.S. citizens and residents whose private information is routinely collected in federal databases. We’ll keep you posted on how the government responds.