A Framework For Thinking About Surveillance

By Cameron
October 14, 2008

Calling on the Executive and Legislative branches of the U.S. Government to “systematically” review every counterterrorism program that deals with personal data and establish new privacy protections, the National Academies recently released a new report examining counterterrorism efforts and privacy rights. In usual academies fashion, the report is a tome. The august body convened a distinguished and diverse panel to produce a comprehensive report that lays out the entire context of discussion, makes recommendations, and offers a detailed framework for reviewing counterterrorism programs.

It makes two overarching recommendations:

  • U.S. government agencies should be required to follow a systematic process to evaluate the effectiveness, lawfulness, and consistency with U.S. values of every information-based program, whether classified or unclassified, for detecting and countering terrorists before it can be deployed, and periodically thereafter.
  • The U.S. government should periodically review the nation’s laws, policies, and procedures that protect individuals’ private information for relevance and effectiveness in light of changing technologies and circumstances. In particular, Congress should reexamine existing law to consider how privacy should be protected in the context of information-based programs (e.g., data mining) for counterterrorism.

The report was fairly (at least implicitly) critical of current evaluation of existing programs and their efficacy. While the panel leads by stating that terrorism remains a serious threat to the United States, they call into question automated screening techniques for identifying terrorists. These efforts fall into two general categories — data mining for patterns and behavioral surveillance. The committee called into question the value of wide-spread data collection and mining, pointing out “Although these methods have been useful in the private sector … they are less helpful for counterterrorism precisely because so little is known about what patterns indicate terrorist activity.” They also noted that linking good data with marginal data can dramatically reduce efficacy and increase the risk of false positives. The committee was even more circumspect about behavioral surveillance, saying “there is no scientific consensus on whether these techniques are ready for use at all … ” and “they have enormous potential for privacy violations because they will inevitably force targeted individuals to explain and justify their mental and emotional states.”

The heart of the report introduces a comprehensive framework for assessing programs and policies. It is too long to reproduce here (you can find it on pages 59 to 66 of the report). Much of it will be familiar to those that have worked at the intersection of technology and privacy policy. In fact, the committee points out that many of these recommendations have been made before. The goal of this effort is to show that these ideas are supported by a diverse body of experts and should be implemented. The framework’s purpose is to layout a series of considerations to answer two key questions:

“First, is an information-based program effective or likely to be effective in achieving its intended goal? Second, does the program comply with the law and reflect the values of society, especially concerning the protection of data subjects’ civil liberties?”

The second question is particularly interesting because the framework is intended for both policy makers and program managers. While it is perfectly appropriate to ask policy makers to consider value judgements, it is very difficult and dangerous, to ask program managers to do the same. Differences in values are, or should be, resolved within the body politic where tradeoffs between interests can be balanced. When unelected officials try to make value judgements, they may inappropriately apply their values without the same level of political controls — something both conservatives and liberal groups have accused officials from multiple administrations of doing — or end up hamstrung as they cautiously try to resolve where political consensus truly lies.

During the briefing on the report, I asked the panel why they focused on both value and legality judgements, and what, given the diversity of interests in the United States, was the “value” baseline for program managers to use in doing this evaluation. The first response was the committee wanted the government to think beyond just legal yes/no questions (i.e. Does a,b,c program comply with law x,y,z?) and take into account the value that people place on privacy and civil liberties. The second response was that deciding a baseline of values was an “unanswerable question.” This was the right response to my question, but it also begs why this was part of their recommendations.

You can find a podcast of the event report’s release:


And a webcast: