(continued from previous page)
In early 2003, the Transportation Security Administration proposed the new CAPPS II system, which would cross-reference airline passenger information with commercial data services and secret intelligence information. Passengers would be assigned a "risk score" and be screened or blocked from flying accordingly.
Privacy groups complained again, saying the program was a form of discrimination against travelers on the basis of information that could not be checked or challenged. Like Poindexter, the TSA relented and announced last month that a new system called Secure Flight would be put in place instead.
David Stone, assistant secretary of homeland security, said that the new system will check passenger information against a "no fly" list maintained by the government to hunt for those with known terrorist connections but that it will not assign a risk score.
"CAPPS II ultimately got shut down because when you compared the need for information sharing against the rights of the citizens, we found it unbalanced," said Greg Baroni, president of the global public-sector unit at Unisys, a company that has significant technology contracts with the TSA. "That didn't mean that the goal would be thwarted. Alternative plans went into motion."
Despite these setbacks, data sharing and data mining are making steady inroads within federal security agencies. The most immediately realistic tasks have proven to be sharing data between agencies and simultaneous searching of multiple databases in and out of government circles.
One of the most public examples of this kind of new search tool is the program targeted in Sister LaForest's lawsuit, called MATRIX. That system, whose name stands for Multistate Anti-Terrorism Information Exchange, has also drawn considerable criticism, with 11 of the original 16 participating states withdrawing from its pilot project for either cost or privacy concerns.
MATRIX was created largely by Florida technology company Seisint, recently acquired by LexisNexis, with help from state officials and a grant from the Department of Homeland Security. The pilot program has taken public records from five states--information such as driver's license and vehicle registrations--and made that searchable along with Seisint's own mass of commercial data.
That means, for example, that an investigator might type in a partial license plate number seen by a witness and immediately get results for all the possible vehicles within a 50-mile radius of the sighting, as well as driver's license photos for the vehicle owners.
"It is a tremendous time-saving tool," said Mark Zadre, chief of investigations at the Office of Statewide Intelligence in Florida's Department of Law Enforcement. "The system does not solve anything--it's just an investigation tool. We hit a 'submit,' not a 'solve,' button."
The Michigan lawsuit against the program is based on a 1980 law that bars Florida from sharing records with out-of-state intelligence agencies.
"We're not asking to stop the world and prohibit technology from moving forward," said Noel Saleh, a lawyer for the ACLU Fund of Michigan. "But if we're going to have this kind of expanded information, we need to have some government and privacy oversight to make sure the rights of individuals are not trampled on."
According to documents the ACLU obtained through a Freedom of Information Act request, the original MATRIX program sent 120,000 names to the federal government that scored high on a list of possible terrorist indicators, including age, gender, credit rating and "proximity to 'dirty' addresses."
Other data search tools are potentially even more powerful, though less public.
A recent report from the Government Accountability Office identified a handful of data-mining tools with similar capabilities used by federal agencies. One of these was the Verity K2 Enterprise system used by the Defense Intelligence Agency to "identify foreign terrorists or U.S. citizens connected to foreign terrorism activities."
Officials at the defense agency did not return calls asking for further details. Executives from Verity declined to say specifically how their technology was used but did describe in general how it might function.
Verity's K2 is a search and indexing tool, rather than a database itself. It can target many types of sources, such as Web sites, internal intelligence databases or even the flow of information over an agency-monitored network. While not a monitoring device itself, K2 organizes results from these sources and can notify investigators when information relevant to a query comes up.
"The idea of clicking a magic button and having software issue an APB to arrest someone in Iowa is not going to happen, and shouldn't happen," said Andrew Feit, Verity's senior vice president of marketing. But software can "start to look for relationships between events and documents that can be truly data mined out of a database," he said.