The federal government is building a domestic spy network unlike any the world has ever seen.
When it's complete, every keystroke you make on a computer and every automated transaction that has ever involved you will be captured, correlated and relentlessly mined by dozens of federal agencies day in and day out.
While privacy advocates and the nation's big newspapers and networks battle the federal government over the National Security Agency's phone record collection and the Treasury Department's fishing expedition through international banking records, federal domestic spying programs are mushrooming.
Odds are that if the American people knew the full story about the federal government's domestic spying regime, they'd consider the NSA and Treasury Department spy programs tame by comparison.
While sleeker, sexier federal data-mining programs that purport to target terrorists make headlines across the nation, dozens of federal spy programs that are just as invasive in scope, if not more so, get scant attention. Unlike the NSA and Treasury spy programs, the U.S. Mint program that trawls through your credit card data when you make online purchases isn't aimed at terrorists. It was built to spy on ordinary Americans in an effort to "detect criminal activities or patterns" and "stop fraudulent activity involving stolen credit cards." Yet very little has ever been written or reported about it.
The Mint program had Gradiance CEO Jeffrey Ullman, a Stanford University computer professor who specializes in data-mining and has served on Google's technical advisory board, scratching his head when he learned about it.
"I'm not sure why the Mint would be doing that," Ullman said. "Visa and MasterCard seem to be doing just fine at fraud detection."
Congress isn't sure either. It didn't know about the program until a bipartisan committee asked the General Accountability Office (GAO) to find out how many data-mining programs the federal government has going. The Mint program turned up in a 2004 GAO audit, along with about 200 other so-called data-mining programs, over 50 of which are designed to scour personal data and information purchased from the private sector for patterns of criminal and terrorist activity.
The criteria the Mint program uses in its searches remain a mystery, even to Congress. E-mails from Creative Loafing inquiring about the program elicited no response from the Mint, which acknowledges its existence in its annual reports to Congress but provides no further detail.
The Internal Revenue Service (IRS) recently began using data-mining technology to extend its internal fraud detection system outside the IRS building walls for the first time. A recently launched program called Reveal uses commercial software to troll through multiple databases of financial transactions between individuals and institutions in search of suspicious links in the data that could indicate everything from individual income tax evasion to financial crimes or terrorist activity.
According to a follow-up GAO report, the program spits out reports that contain names, Social Security numbers, addresses and other personal information on individuals whose transactions fit a pattern that the IRS deems suspicious.
In these programs, a chilling nexus is developing between the government and private sector companies called data aggregators, who stand to make billions collecting data on individual Americans and selling it to government agencies. But federal programs like the Mint's are merely the seeds of a universal government data system that has been in the works since at least 1998. When it's complete, all government agencies will speak the same technological language and will be able to access data records that contain every recordable detail of our lives. So far, the federal government has put hundreds of millions of dollars and hundreds of thousands of man-hours into building what the Bush administration calls the Information Sharing Environment (ISE). Until recently, turf battles slowed things down, but that's changing.
Companies have been keeping data on consumers for decades, and the types of data they keep haven't changed much, says Lee Tien, a senior staff attorney with the Electronic Frontier Foundation. But their ability to store it has. It used to be that a company could only afford to keep three months worth of paper data in a warehouse somewhere. A decade later, they stored three years' worth on computers. Today, computer storage capacity is so great that the once-necessary data purge is becoming obsolete.
"Fifteen years ago, storage technology reached the point where nothing ever has to be dropped again," said Ullman. "It's growing faster than we could possibly fill it up if all of us were typing all the time. Pretty much every time you fill out a form online, it will be recorded somewhere and it will probably exist permanently. Any transaction that involves a credit card, any financial transaction other than putting cash in a vending machine, will get recorded somewhere. You have to assume that any time you type something, just as when you touch a glass, your finger prints are on it."
Take MIB Inc., for instance. According to the Houston Chronicle, MIB stores insurance data on nearly 20 million Americans who filled out applications for disability, life, health and long-term care policies over the last decade, as well as data it collects from the 500 insurance companies that subscribe to it and share policy application data with it. Once information about you is entered into the system, whoever buys the information can access potentially intimate details of your health.
Members of Congress were not pleased to learn earlier this year that the FBI had a subscription to ChoicePoint, a massive data aggregating company that collects a staggering amount of data on individual Americans, pulling information from every source imaginable.
For the FBI and other law enforcement agencies, ChoicePoint and other data aggregators offer a detailed individual history in just a few key strokes, as well as the ability to track a target's links with other individuals.
Among its accomplishments, ChoicePoint lists helping the government link several of the September 11 hijackers, determining that the two Washington snipers who murdered 10 people in 2002 were driving a Chevrolet Caprice sedan rather than a white van (as authorities initially believed), and detecting tens of thousands of felons who attempted to hide their criminal status when they applied for government and non-profit jobs.
From our homes to our health to our criminal records, ChoicePoint's databases contain over 20 billion records on the minutia of individuals' lives. Whether that's a good thing depends on your perspective. ChoicePoint has contracts with the CIA, the Department of Justice, the Department of Homeland Security and over a dozen other federal agencies.
The information it provides them is the same data it provides to private sector companies who do extensive background checks of their employees. So why shouldn't the government have access to databases that would help solve crime or prevent terrorism?
Chris Calabrese, counsel for the American Civil Liberty Union's technology and liberty program, says that the government is outsourcing surveillance to get around privacy laws and that data aggregators like ChoicePoint are turning into surveillance arms of the federal government.
That's a problem, he says, because there is little regulation of data aggregation.
"It multiplies the government's surveillance ability and there is almost no law on it," said Calabrese.
While the Bush administration clearly wants seamless access to private sector data, it's also clear that it doesn't intend to be dependent on the private sector for intelligence. A series of presidential directives by George W. Bush that date back to 2001 order the creation of a widespread federal information data-mining network that was originally the brainchild of the 9/11 Commission.
When the Bush administration's ISE is complete, everyone involved in its creation emphasizes that it won't be a database, but a system of connections between intelligence databases. Employees at one federal agency will be able to mine the data kept by other agencies and the private sector. The walls between the agencies will cease to have meaning and once a piece of data enters the federal system, it will be accessible to everyone.
According to an interim plan for its creation issued by the office of the director of National Intelligence to Congress, the ISE will connect the smaller-scale information-sharing initiatives already under way--like the Mint and Reveal programs and the databases they operate off of--and build upon an extensive federal information network that already exists. At the same time, private sector data will flow seamlessly into the system.
The skeleton of that system already exists. Dozens of federal agencies have already created "data marts" and "data warehouses" to store their data for mining. One data mart at the Department of Homeland Security's Border and Transportation Security Directorate stores incident reports from federal, state and local law enforcement agencies on everything from traffic tickets to firearm possession. Another one at the FBI stores terrorism-specific data from the Department of Homeland Security, the FBI and the public sector.
At the same time, federal agencies are also developing data-mining programs to troll through other departments' data marts. The Defense Intelligence Agency's Verity K2 Enterprise mines data from other intelligence agencies' databases. So does the Department of Energy's Autonomy program, which checks other agencies' data for patterns that threaten "DOE assets." Even the Food and Drug Administration has data marts planned, as well as a program that tracks federal, state and local reports of adverse reactions to food, cosmetics and dietary supplements.
Meanwhile, other agencies, like the Department of Homeland Security's Information Analysis and Infrastructure Protection Directorate, are taking the initiative to gather personal and private sector data on their own. The directorate's Analyst Notebook I2 program correlates events and people to specific information, looking for patterns indicative of terrorism.
The main obstacle to streamlining all this information into one big searchable system is bureaucratic, not technical. No standard classification system exists for intelligence information across the federal government, and various agencies have resisted adopting new standards.
After September 11, 2001, Bush and Congress created the Information Sharing Council, which was supposed to iron out all the details of the transition. But a turf war broke out, and the bureaucrat in charge of the whole operation resigned. The first signs of progress in four years came last month, when Director of National Intelligence John Negroponte announced that a final implementation plan for the ISE was complete and would be released this month.
That was news to Calabrese, the counsel for the ACLU's technology and liberty program. The ACLU was aware of the Information Sharing Environment, but he hadn't kept track of the recent progress, he said. He also wasn't aware of the status of the Mint program, or a list of others Creative Loafing ticked off for him. He said that the ACLU hadn't been able to keep track of what was going on with the other programs because it was so wrapped up in battling the NSA spy programs, which he described as more advanced, even though he admitted he wasn't sure exactly what the other federal spy programs were doing.
It's a problem the leaders of the ACLU have been discussing internally, Calabrese said.
The creation and spread of data-mining programs throughout the federal government is occurring so rapidly that even privacy advocates are having difficulty keeping track of it all.
In other cases, the door is slammed so tightly shut that privacy advocacy groups simply give up and move on with less of a fight than they would have put up a decade ago.
In 2004, the Electronic Privacy Information Center (EPIC) filed a Freedom of Information Act (FOIA) request to find out exactly what the Defense Intelligence Agency's "Verity K2 Enterprise" program entailed. According to the GAO Congressional report, the program mines intelligence community data and Internet searches to look for terrorism-related patterns. After EPIC lost its FOIA fight in court, privacy advocates moved on to other battles without learning anything more about the program.
Then there's the non-profit Markle Foundation. Its various task forces and boards are loaded with representatives of companies that stand to profit from government data-mining, including Sun Microsystems, IBM, Microsoft and Bechtel Group. Its mission, naturally, is to advocate for sensible government data-mining programs that its board members can and do profit from, and Markle's national security task force members have regularly been appointed to high-ranking positions in the Bush administration.
In a perfect example of how the foundation operates, Markle recently developed software that connected health organization databases in three states, allowing them to effortlessly store and swap patient health records electronically.
The software Markle developed is now being used by the U.S. Department of Health and Human Services (DHHS) to develop a nationwide health information network. Perhaps it was mere coincidence that DHHS awarded the $18.6 million contract for the system's creation to IBM, Accenture and Northrop Grumman, all three of which have representatives on the Markle steering group that developed the software.
That's the ugly side of federal data-mining, a lot of which is being driven by powerful companies looking to profit from providing the government with ever-greater access to increasingly sensitive personal information.
But even Calabrese admits there's a considerable upside to Markle's efforts. There are "incredible benefits" to archiving medical records so emergency room doctors can access them instantly from anywhere and know a patient's medical history and what medications they are on, he says.
But while Markle representatives and DHHS are of course promising complete patient confidentiality, the reality is that patients won't know whether their medical records will eventually be mined, Calabrese adds. Because medical records wouldn't be categorized as "classified" information under the Information Sharing Environment plan, patients might not have much control over where their medical information ends up if another federal intelligence agency decides to data-mine it.
"Your sexual history, your drug use, things important for protecting your health you just won't share with your doctor if you know they are going into a massive computer database," said Calabrese.
Markle's data-sharing "advocacy" also includes homeland security and the creation of new legal standards that govern who gets to see information about you and when.
If Markle and the federal government get their way, decisions on which federal employees have access to which sets of federal data will be based on how the information is going to be used, rather than on the ethnic origin of the subject or where the data came from. It's a policy that, if implemented, could open up all kinds of electronic records on ordinary Americans for federal viewing.
Herb Edelstein, the president of Two Crows Consulting and an expert in data-mining, is skeptical of the government's efforts. Edelstein helps private sector companies mine data for customer information and background checks. He says that data-mining can be a powerful tool if the government knows who it is targeting and wants to know everything about them or to quickly learn who they associate with. It's less effective if the government is simply doing random searches for patterns.
Pattern searching works well for businesses because they can afford to be wrong a lot of the time, Edelstein says. A business that wants to market its products to small home-based businesses might mine phone records to see who has a home phone and a fax number at the same address, on the theory that they might be running a home-based business. They may be wrong in half the cases, Edelstein says, but if they are right in the other half, their marketing dollars may be well spent.
But randomly searching for patterns among millions of pieces of data is likely to yield thousands of hits, most of which could be fruitless in a terrorism investigation.
"The best a program can do is say we have to investigate this person," said Edelstein. "It takes a huge amount of time to investigate someone. They can't clear people fast enough now. It might take months of effort."
At the moment, Edelstein says, the government is still in the phase of exploring data-mining to see what it can do, and there has been a definite swing away from protecting personal privacy.
"After 9/11, the government said if private industry is doing this, we should, too, and maybe we can figure out who the bad guys are," said Edelstein.
Meanwhile, the federal government is plowing ahead with the parts of the federal information sharing system it can build now in anticipation of the day when the whole system is up and running.
At 3320 Garner Road in Raleigh, North Carolina, federal, state and local officials are preparing to open the state's information and analysis sharing center next month. Every state in the nation is required to have one by 2007. Called "fusion centers," they are part of something called the National Criminal Intelligence Sharing Plan, and they'll eventually grow into intelligence and information hubs that swap data between local law enforcement, the private sector and the federal government.
Special Agent In Charge Pam Tully, a veteran of the North Carolina State Bureau of Investigation, says that the center's databases will all run on the same global standards others across the nation use. It could be years before all the centers are able to link up, she says.
"We are all trying to build our centers on that same platform so on that day when we all connect, it will be smooth," said Tully.
This article originally appeared in Creative Loafing Charlotte.