Last month's article looked at Trusted Computing and how we might be affected by it. This month, I look at the federal government's efforts to combat terrorism through the use of data, computers, and related technologies and how this affects us as computer professionals.
A Code of Ethics for Computer Professionals
Like people in some other professions, we computer engineers, programmers, and whatnot have to be blindly trusted by society because nobody understands what we do. To help us with this, the Association for Computing Machinery (ACM) long ago defined standards of ethics by which computer professionals should conduct themselves. Founded in 1947, the ACM is the oldest and most esteemed computer society in the world.
The ACM Code of Ethics and Professional Conduct is a collection of 24 imperatives for people who work with computers and data, describing how we should behave under most situations we're likely to face. Imperative number 1 states: "As an ACM member I will contribute to society and human well-being... [and] affirm an obligation to protect fundamental human rights and to respect the diversity of all cultures." Imperative number 7 says: "As an ACM member I will respect the privacy of others... [and] maintain the privacy and integrity of data describing individuals."
The IAO and the TIA
With that said, let's take a look at the U.S. government's Information Awareness Office (IAO). The IAO (whose Latin motto scientia est potential means "knowledge is power") is the federal agency mandated with collecting and analyzing data and is the owner of the Terrorism Information Awareness (TIA) initiative. "TIA" originally stood for "Total Information Awareness," but this name suggested an invasion of citizen privacy by the federal government (collecting your "dossier" and all that). The name was changed in 2003 to "Terrorism Information Awareness," with some funding going to a new faction of TIA called MATRIX (Multistate Anti-Terrorism Information Exchange.)
TIA and MATRIX consist of more than a dozen surveillance and security applications being developed by several branches of government. According to the Defense Advanced Research Projects Agency (DARPA), "The applications are designed to detect suspicious behavior in clusters of people, to identify people in public places, and to determine patterns of behavior by analyzing databases of information." The full TIA prototype is expected in 2007 to 2009.
A central component of TIA is the ability to identify suspects through characteristics of the face and body. High-resolution 3D images are collected and analyzed for dozens of identifying features, including how someone walks. Software called Human Identification at a Distance can identify a person from as far away as 500 feet. Another component, Next Generation Face Technology, uses high-resolution 3D images to read people's faces and determine if they're telling the truth. DARPA also has plans to develop radar, thermal, and infrared sensing to examine human features from side angles, even in bad weather.
Data Analysis by the Government
Perhaps the most controversial TIA ambition is to identify threatening individuals by analyzing databases of information. This project seeks to detect potential terrorists through the transaction records and public records they create while going about their evil business. That is, collected data would include public information like immigration records, licensing, and tax data as well as less-public information like credit card bills, grocery store transactions, education records, airline tickets, car rentals, and utility bills. The government's intent is to establish profiles for terrorists and see who fits them, hoping to identify likely offenders. DARPA claims the data would not be released to others and that the data is already available to businesses anyway.
Not Everyone Is a TIA Fan
Critics of TIA advise caution. Data errors like a misspelled name could result in someone coming under suspicion by mistake. (Once the FBI comes into your place of work and arrests you, even by mistake, others seem to treat you differently from then on.) And perhaps more disturbing, there probably will be no government obligation to correct errors, once found. In a recent decision, the Justice Department ruled the FBI is exempt from the Privacy Act of 1974. That means the FBI does not have to ensure the accuracy of information contained in its National Crime Information Center database.
The IAO touts TIA as a system that will merit our confidence. They say the conclusions drawn by TIA data analysis will be accurate and effective. However, hidden within their assurance is another message. It says that since they think TIA can be trusted, if TIA says you're a terrorist, then you're a terrorist. As with all security systems, the more trusted TIA is, the more vulnerable it is. If TIA is thought to be accurate, yet it falsely identifies an innocent person as threatening, the damage to the person could be irreparable.
"I don't want someone knowing all my movements and everything I've done all day," said Jay Stanley, speaking for the Technology and Liberty Program at the ACLU. "I don't even want that to be recorded. It will change how I act. It will make me less free."
Senator Russ Feingold introduced legislation in January of 2003 to discontinue the TIA projects and other activities of the IAO until Congress could hold a review of the privacy concerns involved. Senator Ron Wyden brought similar legislation that would prevent the IAO from operating within the United States unless specifically authorized by Congress. Further, Senator Wyden's bill would shut the IAO down entirely 60 days after passage unless the Pentagon prepared a report "assessing the impact of IAO activities on individual privacy and civil liberties, or the President certified the program's research as vital to national security interests."
In Congress, legislation was passed in February of 2003 halting activities of the IAO pending a Congressional report of the office's activities. Action in the Congress to attempt to halt a specific internal Department of Defense project occurs extremely rarely, underscoring the grave threat to civil liberties and privacy that many lawmakers perceive in the IAO.
The Dilemma of Privacy Versus Security
When applying imperatives of professional conduct to TIA, there can be no way to separate the ordinary citizens from those who wish us ill based on physical appearance or data analysis. An innocent person may look like a terrorist. A terrorist will walk like an ordinary citizen. A law-abiding exchange student may create the very same public and private transaction records that a terrorist does. The question, then, becomes one of degrees. Persons who fit within a certain level of classifying criteria may be identified as potential threats to the nation. Conversely, terrorists who can successfully avoid trigger transactions may be included in the "non-threatening" group.
On the other hand, few among us would begrudge the loss of a little privacy if it meant the prevention of tragic events and the consequential human suffering. Under one approach to ethics, where the common good is weighed against individual rights, it could be argued that privacy advocates are reacting emotionally and are failing to see the bigger picture. Sure, some mistakes may be made, but the overall benefit to society surely outweighs the occasional individual tragedy.
This issue is a tough nut to crack. Even if we subscribe to the notion that the common good should prevail, how do we know we're not giving up our privacy for nothing? Maybe we're just kidding ourselves with these types of security measures; the bad guys can still find a way.
For computer professionals, the problem is compounded because we're supposed to do what our employers, be they in business or government, want us to, yet their goals may be contrary to the accepted code of ethics. How are we supposed to know when the government agency we work for has overstepped its mandate or the business we work for has violated tenets of privacy? It's hard to say where the line should be drawn, but at some point, it must be. For example, what if our employer decides that we should write a virus that targets a competitor or we should create spyware and sell the data? Sometimes you encounter an employer that you must get away from but at least you can take your ethics with you.