Schwartz: Let's not relive TIA

Total Information Awareness (TIA), the Defense Advanced Research Projects Agency's effort to collect mountains of information about individuals to find potential terrorists, caused an uproar among privacy advocates in the early days of its conception following the Sept. 11, 2001, terrorist attacks.

By fall 2003, Congress had cut off TIA's funding, giving the impression that the government had retreated from using commercial data for homeland security purposes. To the contrary, other government agencies continue to explore the use of commercial data for counterterrorism and other law enforcement and intelligence goals. Private companies also continue to develop and offer services and systems based on aggregating and analyzing personally identifiable information available from commercial firms.

For such projects to succeed, officials must do a better job of ensuring privacy protection from the start.

The information available in private databases includes details about insurance coverage, travel plans, finances and retail purchases, as well as information compiled from government sources, such as court papers, licenses and property records. Reflecting trends that began before Sept. 11 and that have accelerated since then, the new data environment has two unprecedented features: the depth and breadth of personally identifiable information available from private sources and the technological capacity to analyze such data and draw patterns, inferences and knowledge from it.

Even many proponents of the use of private databases for counterterrorism purposes acknowledge that these technologies can raise questions about due process and privacy. However, work continues on the development and implementation of data-analysis techniques even though no suitable legal framework exists.

Some legal constraints limit the government's use of commercial data for counterterrorism purposes, but they are fragmentary, outdated and unresponsive to homeland security issues. That lack of guidelines has led promoters of such systems to find their progress blocked by privacy-conscious lawmakers just as the systems are ready to be implemented.

However, supporters are not the only ones whose interests are served by discussing issues, revising privacy laws and drafting guidelines for use.

Prior to the technologies' development, privacy advocates had generally relied on government inefficiencies alone to protect privacy. If information is not being used well by the government, then misuse cannot occur, people thought.

But we should not take solace in the government's failures in using information technology. Inefficiency poses threats to civil liberties when the government has broad discretionary authority to acquire or access commercial data but few guidelines on how to use it.

That state of affairs creates a high risk for erroneous decisions with no due process mechanisms to correct them. Given the current emphasis on terrorism prevention via screening and other means outside the criminal justice context, rules that guide governmental use of information would also serve civil liberties by making decisions more reliable, transparent and accountable.

We all bear strong responsibility for ensuring privacy and due process protections in new data-mining and pattern-analysis systems. Because of the valid arguments and pressure from both sides of the debate, failure to build privacy and due process rules for the use of new systems will simply result in reliving the TIA debacle.

Schwartz is associate director of the Center for Democracy and Technology.