Comments on: The flip side of database snooping

CNET News.com's Declan McCullagh explains why the same features that make databases useful to businesses make them even more attractive to law enforcement.

CFR 28 Part 23

Start with CFR 28 Part 23, Declan.

There actually are regulations about how, who, where, when, etc. Getting the DHS to acknowledge these is a different problem, but your local agencies are well aware of them.

Accuracy of databases and relations...

One of the most important things to keep in mind
when reading of these "big brother" database and
datamining projects is the prevalence of bad
data. This could be a good or bad thing,
depending on the situation of course. The problem
is, however, that the more certain individuals
become savvy to how data is collected, the lower
the signal-to-noise ratio will become. Moreover,
the more common sharing of accounts and services
is likely to be done (so as to limit tracing back
to a specific individual).

Doubly important, however, is how poorly the
databases and the queries against them are
becoming. The notion of a no-fly list based on a
person's name is just plain silly, for instance.
Names are not unique identifiers, they are
mutable chracterisitics (change name, modify
spellings, change name order, etc.), and the
association with an individual is loose (easy to
credential yourself as another person). Yet,
companies that are integrating data-sources will
join two records based on tenuous relations all
of the time; they accept all sorts of useless
information as gospel, and they don't provide
metrics of confidence for the information they
have... I guarantee that for the average
individual with information covered by
checkpoint, at least 1/2 of it is incorrect, and
at least 1/3 of that half is tainted with
information associated with another individual.

I had a friend once that lost out on buying a
house because the bank told him he was dead. It
took some work, but it seems that after moving
from an old apartment, his old phone number was
quickly assigned to another person. This person
got tired of receiving phone calls for the
previous occupant, so, one day when Sears called
to ask about a late credit payment, the new
occupant said "he's not here, he's dead". Sears
accepted that as accurate, and duly notified all
three credit agencies, which likewise accepted it
as accurate. A couple weeks later, he was
effectively deceased. The bank wouldn't offer him
a mortgage and the police eventually pick him up
for identity theft related charges (he was, after
all, pretending to be himself, who was deceased).

It may sound outrageous, but I can't see how this
won't happen more often in the future.

... I might add...

I'd also add, a nice cumbersome solution to
proliferation of data gathering and false
information would be mandatory notification and
(read-only) access to all data collected about
you. There's no legitimate reason that you should
not have access to your own dossier -- albeit
with significant costs to be absorbed by
businesses and aggregators that would have to
report back to you (in some sensible format).

[Marcus Westrup]

Dangerous Data

Just my two cents worth:
Poindexter's Total Information Awareness database, if ever completed, would be the information equivalent of an atomic bomb. With the poor security measures demonstrated by the government, this data would eventually leak and end up in wrong hands.

Imagine if other countries had collected such all encompassing profiles of their own people. Would you not expect American intelligence to work very hard to get their hands on it? And for what ends?

The very existence of such a store would be a security risk not just for the country, but for all it?s citizens. Best to let this project die.

Like any tool....

Data mining can be misused. So can cameras, claw hammers and guns.

Let's not make the mistake of trying to regulate the tool out of existence. That's a classic case of throwing out the baby with the bathwater. Instead let us focus on regulating and curbing misuse of data mining. Court supervision of information USED by law enforcement from data mining would be a good start.

The credit system is a marvel of efficiencey? Criminy! You have obviously never tried to have incorrect data removed from a credit report or persuade a lender to disregard data that was patently silly contained on a credit report. The credit databases are a huge shambles and a perfect example of what happens when mane relies on machines (and data entry operators) to be infallible.

Missing a large point!

I find it interesting that you lay the bricks to government for exploring alternative data bases for information many would consider inherent in any real privacy provisions WITHOUT CONSIDERATION OF THE INFORMATION SOUGHT AND MADE AVAILABLE BY THE PRESS AND OTHER MEDIA!!!

I know, for example, that the Washington Post compiles personnel record of all Federal Employees, including promotions, awards and pay level, and makes that information availabe to the world at large. Is that fair? Is it honest to ignore their transgressions? I suggest that you need to take the high ground.

[declan00]

private vs. government disclosure

Don:
You make a good point that, as you say, I didn't address in the limited space I had. Personally, I draw a distinction between the private sector and government workers. We need strict oversight of government workers, including their salaries and promotions etc. to ensure that tax money isn't misspent. That's because the government is essentially a monopoly so you can't trust competition to keep it efficient.

In the private sector, competition tends to be vigorous and there's no need for disclosure. A similar argument applies regarding court records (though there's an even more pressing reason to keep those public as a general rule, which is to prevent secret arrests and trials).

-Declan

[Catgic]

If you store it, THEY will come

There is a substantive difference between the threat of private companies SNOOPING in databases, and the threat of government SNOOPING in the same commercial databases and their own SECRET ?TIA? government databases.

Data currency and accuracy aside, the most that private companies usually want from you is your money and wealth, but not your life and liberty. On the other hand, Uncle Sammy Big Buck$ and his Big Brother want not just their annual ?fair share? of your wealth and money, but a bit more. Citizen, if you loose at Database Lotto, Good Uncle and his Black Helicopter flying Big Bro will pounce on your liberty, interfere with your pursuit of happiness and worst-case maybe even take your life.

If your name rhymes with Ali bin Noncitizen, or some variant there of, you have a high-probability of e-bubbling to the top of the TSA, DOS and U.S. Customs-INS Persons-of-Interest Body & Cavity Search List during any of your business and pleasure travel via bus, train or air.

When was the last time American Express, Visa or Master Charge asked the restaurant maitre d? to conduct a body and cavity search on your person before approving a charge when you charged the tab for a business or family meal on their plastic? DEAD SILENCE?that?s because it Neva Hatchi Watashi.

When the maitre d? swiped your card through the credit card reader, if the Credit Card company database said that you didn?t exceed your card limit, your got a ?Sign here, Please? and got to keep cloths and shoes on, and car keys and loose change in your pocket. Now that?s the ?Private Company Threat.?

Now go on an international or domestic business or pleasure trip. A government TSA security clerk-agent will have you remove your wallet-credit cards, empty your pockets, remove your shoes, etc. and if you wince, grumble, look at them ?funny? or if their MATRIX, CAPPS II, Secure Flight databases hiccup, they?ll treat you to an impromptu body search. Now that?s the ?Government Threat.?

Enjoy your all expense paid vacation in GITMO.

[declan00]

welcome to GITMO

Joseph:

I couldn't have said it better myself. When a private company stores your name in a database, it's typically the result of a business transaction. When a private company accesses that record, it's typically trying to sell you something.

Governments, on the other hand, are the only entities that can do the body cavity searches, "temporary" detainments in secret for a few days, "random" IRS audits, "accidental" addition of your name to a No Fly List, and so on...

-Declan

Privacy Laws Can Be Efficient, Too

I'm a fan of markets, and I agree that greater information improves the efficiency of markets, but the quality of the information is as important as the quantity. Relying on bad information can make a market even less efficient and less rational than a market relying on reasonable guesses with less information. That's at least one reason for having laws that prohibit false advertising and permit recovery for fraudulent misrepresentations.

The credit reporting industry may be very efficient at distributing information, but it is prone to providing inaccurate information and is not efficient at correcting errors. Because the information is efficiently delivered, and packaged with lots of impressive numbers and scores that can easily be plugged into formulas and used for comparisons, creditors can easily be lulled into placing great trust in that information.

This is where privacy laws can be useful (in addition to providing comfort to individuals). Privacy laws can be government guarantees that individuals must have access to and control over their information--not just guarantees that individuals may withhold information. In that sense, they can actually improve informational efficiencies by ensuring that information made available to a market is accurate and complete. That's why (for example) it's important for people to have a right to see their credit reports if we're going to have a credit reporting system.

For more on my perspective, see my reaction to this article on Privacy Spot: http://privacyspot.com/?q=node/view/558

I wonder if any of Declan's opinions have changed...

in light of the recent incidents at ChoicePoint, Bank of America, etc. I can't help but think that compromising the financial identities of 1.5 million people will have a negative impact on the economy.
Lots of things might make life easier for law enforcement or the financial industry, but that neither makes them right nor appropriate. I personally could wait a little longer for a loan approval if that meant that I had greater control over my own data.
What is my recourse when the people providing information about me are under no legal obligation to ensure the accuracy of that information?