U.S. Creates System To Look For 'Future Crimes'

The U.S. government green-lighted a program in March to retain data on U.S. citizens for up to five years as part of a counterterrorism monitoring and analysis effort, despite privacy concerns raised by high-ranking homeland-security and justice officials.

The concerns, first reported in The Wall Street Journal this week, suggest that the National Counterterrorism Center (NCTC) is trying to build an extensive monitoring system that can find terrorists using large datasets. Established in 2004, the NCTC brings together analysts from a variety of agencies and tasks them with sifting through intelligence reports for signs of terrorism activity.

Under the rules signed in March, the center can retain information on ordinary Americans for up to five years, even if they are not connected to terrorism or other crimes. While the monitoring system appears similar to those used by many companies to investigate compromises using forensic data, critics have worried that it undermines citizens' civil rights.

"Innocent people can be investigated and their data kept for years," said Chris Calabrese, legislative counsel for the American Civil Liberties Union, in a statement. "It can be shared with foreign governments. All of this in service of, not just terrorism investigations, but also investigations of future crimes."

Civil libertarians are not the only ones with concerns about the scope of the data collection and monitoring involved in the NCTC's analysis system. At the Department of Justice, Chief Privacy Officer Nancy Libin raised concerns, as did Mary Ellen Callahan, the former chief privacy officer of the Department of Homeland Security, according to The Wall Street Journal article.

"This is a sea change in the way that the government interacts with the general public," Callahan reportedly said.

But NCTC officials have argued that the monitoring system and analysis is not about creating a time machine to look for future crime, but to virtually go into the past and connect past actions that may have been overlooked. If an individual names a friend on a visa application, for example, and is later connected to a terrorism organization, counterterrorism officials want to be able to look back at that connection -- even it happened years ago -- and add it to the analysis, Matthew Olsen, director of the National Counterterrorism Center, told the American Bar Association (ABA) in May.

"In other words, certain data sets needed to be retained for a longer period of time in order to ensure that terrorism information was not deleted simply because its significance was not immediately apparent," he told the ABA's Standing Committee on Law and National Security in prepared remarks (PDF).

[Companies and universities look for specific algorithms that will help identify malicious insiders and compromised systems that are acting as insiders. See Analyzing Data To Pinpoint Rogue Insiders.]

The near success of Umar Farouk Abdulmutallab, popularly known as "the Underwear Bomber," in December 2009 was a wake-up call for counterterrorism intelligence analysts, Olsen said in May. While Olsen did not give examples of data points that could have been connected to catch the bomber, he stressed that the NCTC needed the ability to retain information for analysis.

Using monitoring systems to hunt down rogue actors, and even predict when employee may go rogue, has become a major initiative for the U.S. government. Following the leak of diplomatic memos from the U.S. State Department, the Pentagon created the Anomaly Detections at Multiple Scales (ADAMS) project to fund ways of detecting rogue behavior that could indicate a malicious insider.

Such projects may have an easier time pinpointing suspicious activity than network-security monitoring systems used by companies to identify potential rogue insiders by their online behavior, says Mike Lloyd, chief technology officer for RedSeal Networks.

"There is a big difference between the hackers and the terrorists," he says. "The terrorists ... would have to buy an awful lot of fertilizer, for example, to make a bomb, and that's something you can track. So it is plausible, I think, that the data mining will be more effective in counterterrorism than it is with hackers."

Today's network security monitoring systems focus on detecting anomalies that indicate a compromise of a company's systems or that hackers has access to those systems; in other words, they are looking for signs of an event that has already happened. Yet, by combining the analysis of big data with intelligence on the threats affecting an industry or community, companies are increasingly looking to detect potential attacks.

Such systems, however, require that companies and the federal government use them responsibly. Of the two, companies may be the more responsible, says Lloyd, because they are required to follow the privacy laws of the countries in which they operate. Some nations, such as those in Europe, are much stricter than the United States, he says.

In developing its monitoring system for detecting signs of terrorism, the U.S. government should look at strong safeguards, he says.

"Having this technology and having the ability to use it safely are really two different things," says Lloyd. "I think these systems work, but that is both the good news and the bad news."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.