Analysts have applauded the intentions of a bill introduced in the US Congress this week seeking to place greater checks and balances on the government's use of data mining programmes to combat terrorism. But they said it will have to be well crafted to be truly effective.
US Senator Patrick Leahy, the new chairman of the Senate Judiciary Committee, and two of his colleagues proposed the Federal Agency Data Mining Reporting Act on 10 January 2007 during a committee hearing on the privacy implications of data mining by federal agencies.
The bill, cosponsored by Senators, Russ Feingold and John Sununu would require agencies to report to Congress on their development and use of data mining programmes, thereby providing an “oversight mechanism,” Leahy said in his opening statement at the hearing. Similar legislation was introduced during the last Congress but received “no attention”, he said.
“This year, I intend to make sure that we do a better job,” Leahy said.
Such legislation is overdue, said Orson Swindle, a former commissioner with the US Federal Trade Commission and a policy adviser at Hunton & Williams, a Washington law firm. “If ever there was a need for a bipartisan effort, it is now,” Swindle said.
Data mining techniques may ultimately help the government in its antiterrorism efforts, Swindle said. But, he added, “oversight is essential”. Care needs to be taken to ensure that there are proper controls for collecting and using data and that there is accountability for any misuse, he said.
The effectiveness of data mining in helping identify potential terrorists remains largely unproven, said Bruce Schneier, CTO at managed service provider BT Counterpane in Mountain View. “But we can’t even begin talking about that issue until we know the scope of the [data mining] being done,” Schneier said. The proposed bill would at least “allow us to know what the heck is going on”.
For any legislation to be effective, though, it has to cover issues such as justifying data mining programmes and minimising the amount of data being collected, as well as data retention and destruction, said Gartner analyst John Pescatore.
If a bill “just states things very broadly” and doesn’t provide specific guidelines on what kinds of data can be collected and used, it may actually pave the way for government agencies to over-collect and misuse data, Pescatore said. “The CAN-SPAM Act was sort of like that,” he noted. “In many ways, it made it easier for spammers.”
At Wednesday’s hearing, Leahy said that as many as 199 data mining programmes are currently operating or being planned throughout the federal government. Among them are programmes such as the US Department of Homeland Security’s Automated Targeting System for assigning “terror scores” to US citizens and the Transportation Security Administration's Secure Flight programme for analysing data about airline passengers.
Without proper safeguards and oversight, “the American people have neither the assurance that these massive data banks will make us safer nor the confidence that their privacy rights will be protected,” Leahy said.