1. Critiquing the Idea of Total Information Awareness Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP International Association of Privacy Officers February 27, 2003

2. Overview n The Poindexter TIA program n The Poindexter program is simply one example of the Administrations consistent philosophy of TIA n Security, privacy & democracy critiques of TIA n What to do next

3. I. The Poindexter Program n Announcement fall 2002 of Total Information Awareness Program in Dept. of Defense, headed by Adm. John Poindexter n Vacuum cleaner for government, public- record, and private databases n Research program, but expected to go operational soon

5. Poindexter Program n Public outcry against the program n Wyden-Grassley amendment to de-fund it n Bush Administration tried to save it with a blue-ribbon oversight board n No member of Congress spoke for it n So, ban on expenditure won

6. II. The Bush Doctrine of Total Information Awareness n The Poindexter program is simply one example of a Bush Administration doctrine of Total Information Awareness n At its most basic: – The government should know more – Everyone else should know less

7. The Government Should Know More n Maximize information available to the Enforcers – That is what Total Information Awareness means n Maximize detection and surveillance by the Enforcers n Maximize information sharing among the Enforcers

8. Maximize Detection & Surveillance n Examples: – Poindexter program itself – TIPS -- get information from the letter carrier and the cable guy – USA-Patriot Act -- stored records, etc. – Patriot II proposal -- get FCRA records without consent, etc.

9. Maximize Information Sharing n Break down the wall between law enforcement and foreign intelligence/FISA n TTIC -- 2003 State of the Union and Director of CIA should head analysis of domestic, foreign, and law enforcement data n OMB initiatives to end data silos n Homeland Security Departments many functions share data n Money laundering data at home & abroad

10. Everyone Else Should Know Less Bush Administration policy of increasing government secrecy (1) Tell less about government actions (2) More rules to prevent leaks

11. Tell less about government actions n FOIA change by Ashcroft before 9/11 n Cheney refusal to release energy policy meeting list to GAO n FOIA rollback in Homeland Security n Take down web sites, including information to neighbors about potential leaks from chemical plants

12. More Rules to Prevent Leaks n Theme -- dont inform the terrorists of our vulnerabilities n Patriot I -- criminal gag rules on libraries, employers, and others if they are asked to turn over records to the government n Homeland Security -- new criminal penalties against whistleblowers n Patriot II -- more proposed gag rules

13. Summary on Administration Actions to Date n Total Information Awareness as the overall Administration policy – Maximize surveillance and information sharing – Minimize sharing of information with public n Implicit view that this approach shows you are serious about national security n Implicit view that raising privacy and civil liberties means you care less about security

14. III. Critiques of the Philosophy of Total Information Awareness n Negative impacts on security n Negative impacts on privacy n Lack of accountability and concerns about preserving democracy

15. Negative Impacts on Security n More security lapses n Lack of accountability and weaker security over time n Cost-effective security

16. More security lapses n The positive effects of information sharing – More good guys/enforcers get to see the data n The negative effects of information sharing – More good guys/enforcers get to see the data n State and local officials -- quality of systems? n International officials -- money laundering data shared with many governments n When have leaks, the rogue enforcers have access to far more data than before

17. Lack of Accountability and Weaker Security over Time n Mantra of computer security experts: There is no security through obscurity – Fix your vulnerabilities, dont try to hide them – If you try to hide them, only the bad guys will learn about the weaknesses – Essential role of peer review to maintaining quality of system security over time – Gag rules on whistleblowers lead to systematically greater vulnerabilities over time

18. Cost-effective Security n Implicit assumption of Total Information Awareness -- More Data is Better n Is the goal total information? n Or is it the most cost-effective measures that actually improve security? n Better security to focus on the most effective actions rather than the chimera of total information and control

19. Negative Impact on Privacy n Just gave reasons for believing TIA creates weaker security over time n And it creates weaker privacy n Sensitive data sought for TIA -- medical, financial, communications, etc. n Chilling effects and less freedom if all of us always under surveillance

20. Privacy Effects & Risk Profiles n Individuals will be assigned terrorist risk scores, like credit scores n Where have high risk profile, then government will act n Expect many false positives -- government has to act before it is certain that someone is a terrorist n False (and true) positives get put on watch lists

21. Privacy Effects & Watch Lists n WSJ article on FBI watch list after 9/11 – Many innocent people on the watch list – Employers and others received the list – The list morphed, with mistakes, over the Internet – No access or correction for individuals who were wrongfully on the list n A return to the blacklists and secret dossiers of the anti-Communist era

22. Preserving Accountability and Democracy n We have gone down the TIA path before – Maximize government surveillance – Minimize disclosure to the public n My IAPO speech in Chicago and the history of The Lawless State: The Crimes of the U.S. Intelligence Agencies

23. The Lawless State n Surveillance and smears of MLK, Jr. n FBI infiltration of political groups – FBI agents in KKK to Black Panthers, including participating in bombings, etc. – Fringe groups? Large fraction of delegates to 1972 Democratic National Convention under surveillance – Blackmail files on political officials n IRS & CIA abuses

24. Reactions to the Lawless State n Title III (1968) -- federal wiretap standards n Privacy Act, 1974 -- no secret dossiers n Government in the Sunshine – FOIA Amendments, 1974 – Open meeting & whistleblower laws n Foreign Intelligence Surveillance Act, 1978 n Electronic Comm. Privacy Act, 1984

25. Summary on the Lawless State n The Lawless State Round 1: history of abuse of power and lack of accountability n We built laws and institutions to: – Limit surveillance – Protect privacy – Create openness in government – Promote accountability n Has unaccountable and secretive government changed so we can ignore the history?

26. Concluding Remarks n The Poindexter program of Total Information Awareness was unanimously shut down by Congress n The Administration philosophy of Total Information Awareness, however, continues unabated – Patriot II proposal in 2003

27. What To Do? n Those of us outside government have a responsibility to voice the threat of TIA to security, privacy, and democracy n Inside the government, there needs to be someone at home on these issues -- in Homeland Security, OMB, & elsewhere n We must remember the history of the Lawless State, or we may be doomed to repeat it