August 19, 2003

The inevitability of Total Information Awareness

- by Campbell Vertesi -
In the age of the Internet, technology inevitably fills demand. In the case of music-swapping services, we all recognize that the recording industry hasn't a hope of stopping every file-sharing service around. So long as there is a demand for easy access to music, technology will rise to meet that demand, and all the lawsuits in the world won't help the RIAA to stop it. So why should we expect anything different from projects like DARPA's Total Information Awareness proposal, designed to combine commercial, criminal, and government information sources into one comprehensive database of a country's citizens?

Law enforcement, the military, and the government are increasingly concerned about terrorist threats, and the demand for a technology to help them cope is intense. Right now, in order to track down a dangerous criminal or terrorist, an enforcement agency must use data from hundreds or thousands of disparate sources, an activity that wastes enormous amounts of time and effort. How long did it take authorities to discover the identity of the Maryland Sniper? Or the 9/11 attackers? It was inevitable that someone somewhere would notice that this kind of searching is exactly what computers are good at. The potential gains are so great, someone would develop a program to do it. And if that program were struck down, another would rise in its place, just as we saw with Napster, Audiogalaxy, and now Kazaa. No matter what the obstacles, technology rises to meet the demand.

The demand for increased surveillance is every bit as intense as the that for easy access to music. To the designers of these programs, it is of small concern that their technology could violate a copyright or someone's privacy. What about the legitimate uses, they say. If it can be used responsibly, you cannot outlaw it! And in the end, they are right. Just as the recording industry must get used to file-sharing services, and should do everything in its power to make sure that these services are used responsibly (however you chose to define that), so must we the people get used to TIA-style projects, and do everything in our power to ensure responsible use of them.

The fears, and how to allay them

Once we accept the inevitability of TIA systems, we have a host of new problems to face. A completed TIA database, with access to every American citizen's photograph, home and work addresses, shopping habits, and day-to-day movements, would be the number-one hack target in the world. Just as the demand made the creation of such a system inevitable, the demand for access creates tremendous pressure for such a system to be used illicitly. It's hard to imagine anyone who would not want access to this system: Besides terrorists and government agencies, the list includes women (to check up on guys they meet at a bar), jealous boyfriends, companies (for accurate demographic information), banks (a more advanced form of credit check), and parents (to check up on children away at college).

The demand for access would be practically unlimited, so a successful hack is just as inevitable as the program's creation in the first place. Such a hack would probably even be morally defensible as a protection of your privacy rights. Even if the TIA project accomplishes the impossible, and becomes completely 100% secure from digital attack, there is the human element to consider. If you had privileged access to the TIA system, how much money would it take to convince you to give up your password? Name a figure, and you can bet that the demand will match it. Fifty million dollars? Companies spend that much on demographic analysis all the time. Five hundred million? Professional spies have been paid as much, for less valuable information. Five billion? It can be arranged. Even (perhaps especially) highly placed government and police officials cannot be trusted enough to stand up to such overwhelming temptation.

But all these concerns occur after the system is implemented. What about at the development stage? Even half a TIA system is worth a lot. How can you be certain that the programmer didn't write in a backdoor? Or two? Or ten? Open source it, I guess -- but you'd have to have some pretty blind faith in open source to release code for something with that much demand for access.

All of these concerns need to be addressed by whatever organization creates the system that finally survives our opposition. Personally, I would much rather it be built and regulated by government than by a terrorist organization, because then we would have some control over the access conditions. These conditions must be designed to make access difficult, and preferrably publicly monitored.

I can think of an excellent set of controls that would put most everyone's security concerns to rest. First, the system should be entirely disconnected from any form of network. This is the only way to ensure 100% immunity to hacker attacks. I also envision five or 10 officials from various levels of government and civil service, all required to be present at once; that way the system could only be accessed by a select group of well-watched people. Gather fingerprints, retinal, voice and brainwave scans, and personal passwords for each of them. Send an automated email message or letter to the target of every search to notify them that their record was retrieved. And keep the whole thing in a secret facility at the bottom of the Pacific, or better still, on the Moon.

Maybe then the system would be so difficult to access that it really would only ever be used appropriately. Maybe.

Campbell Vertesi is an opera singer and a Linux nut with a burning need
to get his thoughts down on paper. He is as involved as he knows how in
the politics of the digital frontier.

Click Here!