CIA-backed Las Vegas firm is pitching a new technology that it says could
address many of the privacy problems brought on by the government's
ever-growing need for information in the war on terrorism.
Systems Research and Development, a company known for helping casinos spot
fraud, has developed a product called Anonymous Entity Resolution. It
claims the technology can help investigators determine whether a terrorist
suspect appears in two separate databases -- say, a government watch list
and a hotel reservation system. And the company says it can make that
determination without handing over the government list to the hotel, and
without handing the reservation records over to the government.
SRD has shared the technology with the Department of Defense, which is
reviewing its capabilities. The company has received investments from
several agencies, including In-Q-Tel, the CIA's technology investment arm.
"It looks to be significantly exciting," said an unidentified Pentagon
source familiar with the company and the technology. "We think it will
alleviate some of the issues associated with privacy protection."
The system is unique, the official said, in that it applies
"entity-resolution techniques" to data that's been scrambled for security
reasons. The software sifts through data like names, phone numbers,
addresses and information from employers to identify individuals listed
under different names in sepearate databases. If, for example, a man named
Rahmin Abdul rents a van, entity-resolution software can determine that
he's the same person as Abdulahh Rahman included on a government watch list
of suspected terrorists.
However, SRD's Anonymous Entity Resolution technology takes this concept
one step further. It not only finds the information by comparing records in
multiple databases, but also scrambles the information using a "one-way
hash function," which converts a record to a character string that serves
as a unique identifier like a fingerprint.
"All it tells them is that they have somebody in common," said Jeff Jonas,
founder and chief scientist at SRD. "It doesn't tell them who."
Once a match is found, which happens when disparate records produce the
same character string, agents can isolate those particular records without
examining any other information.
A record that has been one-way hashed cannot be "un-hashed" back to the
original record -- any more than "a sausage can be turned back into a pig,"
Jonas said.
This ensures that even if someone intercepted the scrambled records, he
couldn't extract information from them. Thus, watch lists and corporate
databases could be securely compared -- but not shared -- online.
"This could have a huge amount of value to all levels of government, as
well as commercial companies," said Gilman Louie, CEO of In-Q-Tel, adding
that he had "great confidence" in the technology, as well as in SRD's
ability to "deliver the goods."
With privacy debates heating up in recent months over the extent to which
law enforcement priorities trump civil liberties in the fight against
terrorism, the technology seems well timed.
The Total Information Awareness program proposes to sift through vast
quantities of citizens' personal data, such as credit card transactions and
travel bookings, to look for terrorist activity. The program and other such
proposals have run into a wall of privacy concerns erected by lawmakers,
advocacy groups and the media.
"All the latest debates in Congress and among privacy groups, on the left
and right, are about the government accumulating vast amounts of
information, of being able to look through it willy-nilly," said John
Slitz, SRD's chief executive officer.
But privacy fears extend beyond concerns about individuals' civil
liberties. Intelligence agencies also want to keep their watch lists private.
"The greatest problem that has plagued government watch lists is that the
creators don't want to give them to anybody," said Jim Dempsey, the
executive director of the Center for Democracy and Technology. "This
includes other government agencies."
The secrecy is often warranted. If, for example, the government gives a
list of suspected terrorists to a few thousand companies, even if it
requests that the list remain secret, there's a possibility it will end up
in the wrong hands.
A watch list of suspected terrorists created after 9/11 by the FBI took on
a life of its own after being distributed to select companies, showing up
on the Internet long after many of the people listed on it were cleared of
any suspicion.
The data in the watch list, because it was not dynamically connected to the
source -- that is, the updated file in the agency's system -- inevitably
became outdated.
Anonymous entity resolution could solve such problems, according to SRD.
Using the technology, investigators could compare information from
different databases, such as corporate accounts and government watch lists,
without accessing information that either party wants to remain private.
And the data in watch lists could be dynamically updated, removing the
danger of outdated, static versions circulating in the public domain, he said.
However, Dempsey said the solution cannot address more fundamental privacy
issues, like whether the data is accurate in the first place and how that
data will actually be used by law enforcement. Moreover, it does not solve
problems such as how a person can be removed from a list.
"It does give the government some benefit of constantly updated
information, and it avoids the data maintenance, management, accuracy and
staleness problems, as well as the sort of mission creep and privacy
problems that come from the government accumulation of data," he said. "But
there are still a huge number of other issues that this doesn't begin to
address and that need to be addressed."
And, Dempsey warned, "Nobody should think that there is a single technical
solution to the privacy and due-process issues that are associated with the
government use of watch lists and commercial data in an effort to identify
terrorists."
http://www.wired.com/news/print/0,1294,57903,00.html
