Tuesday, August 18, 2009

Who Should Have Access to What When?

Stories surfaced recently that two police officers in the State of Georgia in the US ran an unwarranted background check on President Obama. Evidently, the Secret Service alerted the local county government that computers within their system had been used to access information on the President. As a result, the two officers in question have been placed on suspension. Remarkably, a similar incident occurred in Pennsylvania involving a Philadelphia police officer shortly thereafter.

These incidents bring two issues to mind:

First is the issue of access controls or access monitoring with respect to information systems and databases containing personal information. On the one hand, it’s refreshing to know that the kind of controls are in place to allow the Secret Service to know that someone from a particular computer network has accessed information on the President stored on criminal justice systems. Yet, clearly the Secret Service is not going to be extending this kind of safeguard to too many people beyond the President, Vice-President, and potentially their families. It’s also unclear to what extent anyone within the network of federal and state agencies that have access to this information runs audits to ensure that other unwarranted access has not been made. With respect to at least one of the databases in question, the FBI’s National Crime Information Center database—which I discuss below—there are local agencies that oversee the administration of the system of access to the database within their locality (state, territory, etc). This agency is “responsible for monitoring system use, enforcing system discipline and security, and assuring that all users follow operating procedures.” Yet, according to on article that appeared on Slate, it was “common practice” in one locality for police “to run checks for friends and family, and to run prank names to alleviate boredom.”

Then again, I’m not sure how you would structure such an audit given the fact that probably anyone who gets pulled over by police for even the slightest traffic violation can legitimately be subjected to such a background check (Another interesting question is whether anyone has ever challenged the legitimacy of allowing officers to call up this variety of information during a routine traffic stop). Multiple system queries issued in relatively quick succession might be one indication of abuse, but this kind of action wouldn’t be inappropriate where multiple individuals have been stopped for suspicious activities. Perhaps looking for checks run on notable figures such as President Obama might be another way to catch some illegitimate use of the system, but it would not provide much of a safeguard for the majority of citizens. At any rate, my point is to draw out an issue pertaining to the “watching of the watchers” and potential remedies for “violations” on the part of the watchers. This issue of providing access controls and auditing capabilities is likely to be a significant theme in Work Package 6 of the DETECTER Project, which I am working on.

The second issue concerns the actual extent of information that access to a particular system grants—and in the context of these incidents, information sharing or consolidation among different data collecting agencies. The fact is, I don’t know exactly what information is featured in these background check queries; according to the article on Slate, it may vary from police agency to police agency since different agencies may have different access policies and procedures. I would guess they would contain: name, date of birth, height, weight, gender, eye color, address (all of these are standard things included on US driver’s licenses), driver’s license number and state of issue (perhaps even for past driver’s license numbers, too?), vehicle registration information, list of outstanding parking tickets or fines, list of traffic viola-tions, list of arrests, list of criminal convictions, list of outstanding warrants or other All-Points-Bulletin type notices (including e.g. Interpol notices), perhaps even social security number and driver’s license photo. The Slate account adds aliases, tattoos, scars, and other distinguishing marks. However, these clearly would only be available if you had been arrested. As for fingerprints, I know of at least one state that requires fingerprinting when issuing a driver’s license. Otherwise, these also would not generally be available without a prior arrest.

But where does this information come from? According to the Slate article, the information is culled from a number of different databases. Alongside local databases, the primary source for data from all states as well as certain federal information is the National Crime Information Center database mentioned above (see also this page maintained by the Federation of American Scientists). According to the Slate article, not every police officer will necessarily have direct access to this database from his or her squad car. Thus, at least in some places, there are built-in safeguards to limit the extent of information that is made available without some justification on the part of the officer.

Yet the trend has been toward increased availability of information—including increased information sharing and extending the reach of intelligence and criminal justice resources to include more and more databases and data sources. An initiative known as MATRIX (Multi-State Anti-Terrorism Information Exchange)—I’m guessing they didn’t see the movie—represented one effort in the US in the early to mid-2000s to pool information and resources for the support of a better (and perhaps more extensive?) information system. Accounts vary, but some claimed the system would provide access to records from a number of public sources in addition to the usual law enforcement databases. One account, for instance, claimed that things such as credit information, marriage and divorce records, names of business associates, neighbors’ addresses and telephone numbers would also be made available (Duane D. Stanford and Joey Ledford, “State to Link Up Private Data,” Atlanta Journal-Constitution, October 10, 2003, cited by the ACLU in this report). There was certainly discussion of incorporating the use of an analytic system developed by a private corporation which would also include access to that corporation’s databases that held “billions of public and commercial records.” The fear that the new system would provide local police with access to an enormous variety of personal information gave forth to public uproar. Probably at least in part due to that backlash, most of the states that had initially signed on to the program gradually began to withdraw involvement.

There’s a lot more to be said on this subject of what is the appropriate extent of information that should be readily available—particularly in light of the potential for misuse. Especially in the context of national security intelligence, it is often not clear what information is of significance to prevent terrorist attacks. There is this idea, perhaps reflected in programs like DARPA’s Total Information Awareness (or “Terrorist Information Awareness” if you prefer), that if only the greatest possible amount of information were available for analysis, analysts would be able to pick up on patterns of “suspicious” activity before incidents occur. I’ll perhaps save further discussion of this subject for a future post. But beyond the question of the extent to which we should permit data aggregation, there are also the issues of what extent of existing information should be made available to whom and under what circumstances.

No comments:

Post a Comment