According to confidential documents obtained by the WSJ and the Electronic Privacy Information Center, the intelligence and criminal investigations divisions of the U.S. government have lost their minds.
On one hand is increasing number and outrageousness of the secret demands for data courts pass out in support of investigations based on hunches, biases and prejudgments by law-enforcement officers. All assume the rules against having the police strip search you on the street because they suspect you might have been thinking about something related to a crime either don't exist, don't apply to anything on the Internet, or don't apply to them.
On the other hand is a set of documents from the Dept. of Homeland Security that show it is trying to develop a program that can accurately predict whether one specific person is likely to commit a crime.
It's testing the app now on volunteers who are either confident that the software won't work at all, or that expect never to be in a position in their lives in which they would covet anything the 10 Commandments say they shouldn't covet, or harbor any intent, conspiracy or deep, dark desires inside the depths of their souls.
If the app worked and DHS knew about the intent to have a conspiracy to covet, the volunteer might be putting in a little more time than expected, in Guantanamo rather than the DC area.
The app, called the Future Attribute Screening Technology (FAST) sounds more like a fantasy some agent had after leaving the Tom Cruise movie "Minority Report" than it does a real investigative tool.
FAST reaches its conclusions based first on the behavior of the volunteer using video, audio and sensors to measure "psychophysiological measurements" (like the ones proven to be unreliable in polygraph tests even when everything's done correctly and the reactions are as isolated and calibrated as possible).
Don't worry, it doesn't work yet. Yet.
FAST is purely a research project at this stage, being tested on a few employees who volunteered to try out a "noninvasive" means of determining their intent in the future.
The Electronic Privacy Information Center statement said it believed using the system would be "very problematic" for legal reasons.
It doesn't mention how mind-bendingly wrong the conclusions of a piece of software would be that had been developed using observations of human behavior, analyzed and codified by other humans, to try to isolate the specific behaviors present in the one part of human behavior no human has ever shown he or she is all that good at figuring out: when someone else isn't telling the truth, the whole truth, or something in addition to the truth.
Software is a lot more objective than human perceptions, because it's more stupid. The algorithms that allow analytical software to reach conclusions are written by humans codifying data that are entirely subjective, then trying to verify those subjective judgments and reduce the error rate by piling on more tests built on more series' of subjective judgments.
However learned the explanation of theory or practice sounded in some smoke-filled underground bunker at DHS when this idea was pitched, no matter how many graphs were involved or how many white coats the scientists wore while swearing they could do this, no one can do this.
Why "Minority Report" crime prediction can not work, ever.
- Many human decisions are irrational;
- Many human behaviors are based on attitudes or decisions that are themselves very inconsistent;
- Many behaviors are not the result of a conscious decision, but unconscious behaviors and habits are often altered by an anomalous decision;
- The future is unknown, so the reaction of a specific person to new situations or willingness to carry through a long-held plan are both invalid as a basis on which to base a decision about that person's behavior;
- In order to gather enough information on every person in the country with the potential to commit a crime (every person in the country) would require closed-circuit video recordings of every person in the country seven days a week, 365 days per year;
- Just the number of cameras and amount of surveillance would be unconstitutionally invasive, let alone the collection of all that data and holding the analysis, decisions and reaction plans (punishments or rewards);
- Any reaction plan would be based on incomplete data, subjective analytical methods and a decision-making structure riddles with irrecoverable structural flaws that would prevent even the most earnest, honest investigator with information as near perfect as possible from reaching the right conclusion and deciding what to do about it.
You're right, that goes too far; just give me a list of everyone you've ever spoken to in your life and their phone numbers
Now, lest you think DHS is the only agency a little overexcited about the chance to surreptitiously observe people and ask irresponsible questions (at gunpoint) about their personal behavior, the Wall Street Journal unearthed an example of the Dept. of Justice sifting through the underwear drawer of a guy it is confident did nothing wrong but volunteer to help maintain the web site or databases of a site it didn't like.
Jacob Applebaum developed free web proxy/anonymity service The Tor Project, Inc., but also does volunteer work for WikiLeaks.
So, someone in DoJ figured, he must talk to a lot of people who would be terrorists because they'd want to talk to the guy who started a company to help Chinese dissidents watch YouTube without getting arrested.
So the DoJ got secret court orders designed to force Google, inc. and the ISP Sonic.net to hand over all the email addresses of people who had corresponded with Jacob Applebaum – who does volunteer work for WikiLeaks and
The court order was granted under terms of the Electronic Communications Privacy Act of 1986 which, because it was written before the advent of the web or location services on cell phones, doesn't protect those things well.
The test protecting your privacy is open-book, web-search-allowed for law enforcers
It includes two levels of access for law enforcement agencies. The lower one – which only requires that agencies show "reasonable grounds" information like a list of people you've phoned using your old AT&T POTS line, but not tap the phone and listen to conversations, which would require "probably cause" to believe you'd committed a crime and a different kind of warrant.
No one is accusing Jacob Applebaum of committing a crime, but the FBI was able to get a list of everyone he had traded mail with for two years.
Sonic.net and Google both fought for the right to inform Applebaum his contact list was being fingered, but a judge said no. Sonic.net fought to keep from turning the information over on and because thge ECPA violates the fourth amendment rules that forbid police from frisking you every time you walk by and they suspect you of something.
(Several courts have already ruled ECPA does violate the 4th Amendment, but no test case has been taken up at a high enough level to decide it for sure. There are several groups fighting to get the law updated or force the Supreme Court to make a decisive ruling on the law. So far they haven't made much progress. )
Requests for information under ECPA are almost always confidential, and the ISP or email provider are both ordered not to say anything; so the whole thing takes place in secret, the way all honest, upright, Constitutionally valid investigative procedures are conducted.
First they came for the Twitterers, but I was not a Twitterer, so I said nothing.
The DoJ wanted to know who Applebaum was writing to after the non-profit Committee to Protect Journalists accidentally printed his name in a post that also revealed he was working on a volunteer basis for WikiLeaks.
On Dec. 14, 2010, the DoJ got a court order for Twitter to turn over a list of all the IP addresses of a list of people who had talked with Applebaum on Twitter, or with two other WikiLeaks' advocates – one a member of the Icelandic Parliament and the other a Dutch programmer. The order also demanded email addresses from their correspondents.
All three persons of interest asked a U.S. Magistrate to throw the orders out. She didn't. They appealed, but it hasn't come to court yet.
The order to Sonic was dated April 15, demanding the same types of information as the DoJ asked of Twitter. The only reason the request became public was because the judge ordered the DoJ to lift the cone of silence so Applebaum could see the order demanding detailed information on much of his private life.
Sonic couldn't get the seal lifted on the papers it filed to protest the order, either. The request was almost entirely turned down, without explanation. So Sonic can't show it's part of the discussion even if it wanted to.
DoJ! You Are Wasting Your Time! Work Smarter, Not More Unconstitutionally
When you combine the wish to surveil every citizen every moment of the day and predict what he or she might do in the future with what looks like a disturbingly lax attitude toward the right of their subjects not to be watched or analyzed when there's no reason at all to suspect them of anything and you have a common thread of paranoia, self-justification and self delusion woven throughout the agencies responsible for upholding the constitution.
Not only do the methods they're trying to depend on more and more not work, many of them can't work (FAST). The ones that do require so much effort they're a bigger waste of time and money than simply not doing them at all.
If you can compel the ISP serving whoever is head of Al Queda right now (Predators are flying) to give you a list of everyone he talked to while using the words "Jihad" "explode" and "yes, you can," maybe you'd have a list worth the enormous effort of checking out every name on it.
Otherwise the odds are very, very long that you'll get a lead that was worth violating the privacy rights of a major privacy advocate, beat up Google, Twitter and Sonic to do it, and embarrassing your agency, yourself and your government with your unbelievably wasteful, slow, inefficient investigative methods.
What the DoJ is going after with ECPA court orders is pure brute-force code cracking. It'll do the job, and in the right amount of time, if you have the right code, the right victim and time to work on it.
If you're digging that hard sifting for leads...you're not a professional investigator, you're a five-year-old digging in the backyard with a trowel, hoping to hit oil.
It's childish, it's wastes your time, your application development and staff budgets and It Gets You NooooWhere.
Looking for love (of Jihad) in all the wrong places
Everyone wants you to catch the terrorists. Go ahead and do it. No one will begrudge you.
But don't waste our time looking through random phone lists or developing super truth-telling future Magic 8-ball machines hoping to do it.
Go be a cop. Investigate something. Follow a legitimate lead until it goes somewhere.
Go look at the forums and IRC channels hackers and terrorists and pornographers and occasionally upright citizens go to chat.
Yah, the terrorists chat in Arabic. You'll have to learn it. Because saying the light is better where you're looking is not a good reason to be looking in what you know is the wrong place.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.