Information about credit card transactions and purchasing habits are likely vacuumed up by the government.
Information about credit card transactions and purchasing habits are likely vacuumed up by the government. iStockphoto.com
Soon after the attacks of Sept. 11, 2001, the government began collecting reams of phone records and other personal information on millions of people in hopes of finding some sort of pattern of suspicious behavior that would reveal unknown terrorists.
That technique, known as data mining, hasn't been the silver bullet officials had hoped it would be, and privacy advocates say it is an affront to Americans' civil liberties, since they have no way of knowing who is looking at their personal information or whether the person looking is actually authorized to see it.
A small start-up company in California's Silicon Valley claims to have a partial solution.
"Most people in America believe you can either fight terrorism — i.e., identify and get the terrorists — or you can protect our civil liberties — i.e., make sure the government isn't looking at our personal information when they are not allowed to," says Palantir Technologies CEO Alex Karp. "And that dichotomy used to be true. We've found a way to tag information so the only people who can see it are those who are allowed to see it, so it takes care of that problem."
'Squishy' Rules On Who Can Snoop Where
As a general rule, intelligence agencies in this country draw the line at the border. The FBI, with the proper warrant, can collect information on people in the U.S. The CIA and National Security Agency are banned from collecting information on Americans inside the continental U.S. Instead, they are supposed to focus overseas, though there are exceptions to that. For example, the agencies can say that they thought the connection was foreign. The squishiness of the rules has long worried privacy advocates.
"For example, right now it is perfectly legal, without question, for the government to collect every telephone call, every e-mail, every communication in the world — as long as it can claim credibly some part of the communication contains a person outside the United States," says Fred Cate, the director of the Center for Applied Cybersecurity Research at Indiana University. "And that's a problem."
Karp says Palantir provides a partial remedy because it tags the information so that intelligence agencies are only allowed to see the information that they are legally allowed to see.
I spent a recent morning with Palantir's director of engineering, Bob McGrew. We walked to Palantir's offices in downtown Palo Alto, Calif., and ran simple errands along the way. He bought a cup of coffee. He withdrew some cash out of a nearby ATM. And while those might seem like two perfectly innocuous stops, they could, in a terrorism investigation, have been signaling much more.
In the span of 10 minutes, McGrew had left quite a data trail — just as we all would. Starbuck's had a record of the coffee he had purchased. His credit card company had a record of what he had spent and where. His bank knew that he had taken $100 from his account. And, had McGrew been under suspicion, all that information may well have been gathered together to try to get a sense of his habits and associates.
If I had also bought a coffee and grabbed some cash from the very same ATM and perhaps phoned McGrew, my information might well have been vacuumed up as well. And it is those degrees of separation — the information collected on people who might have the slightest connection to a suspect (even an accidental connection) — that also keeps privacy advocates up at night.
Exactly What's Collected Is Uncertain
Part of the problem is that it isn't clear what kinds of information the government is gathering. Certainly, intelligence agencies are using government databases with tax records and property titles as part of their search. Treasury Department databases, which track money flows, are undoubtedly in the mix, too. What hasn't been revealed is the kind of corporate databases that are included. The assumption is that credit card transactions and maybe purchasing habits are vacuumed up too, but so far the government hasn't said as much. The possibilities are endless, because each and every day, we are all leaving little data trails that are easy to pick up.
"To this day, after studying this for more than seven years, it still isn't clear to me what they are collecting," says Jim Dempsey of the San Francisco privacy group the Center for Technology and Democracy.
Privacy advocates also worry about a more basic problem: the misuse of all this personal information. Two months ago in Massachusetts, law enforcement officials were found to be snooping into the lives of local celebrities. They poked around New England Patriots quarterback Tom Brady's personal information just because they were curious. So they looked up his address and whether he was a gun owner; they did this 968 times.
McGrew claims that what happened to Brady wouldn't have happened if law enforcement had been using Palantir's system because of its privacy control. "When some of these officials were looking at Tom Brady's data, they would be leaving a trail. It is all captured in a log that you don't need to be a technical guy to understand," he says. "A compliance officer or a civil liberties group would be able to see exactly who was looking at what information."
He says the accountability is built in.
That's an important claim given that the FBI, CIA, Defense Department and New York Police Department have all started using Palantir's software in recent months to analyze their intelligence data. Privacy advocates have long said that one way to protect civil liberties is to create a way of knowing precisely who is looking at the information. That, in and of itself, creates a disincentive for misuse.
A Need For Oversight?
Former FBI agent Mike German says accountability is a start, but intelligence agencies won't be able to invent their way out of the data mining problem. German, who is now with the ACLU, says the rules governing private information need to be beefed up.
"There has to be intensive oversight," he says. "And there have to be ramifications when someone violates the policies that protect the rights of innocent people whose information is collected. It is very unclear now what protects people's privacy once it's collected anywhere along the chain — whether it is a state or local police officer collecting it, whether it is the FBI collecting it or whether it is the intelligence community."
That's something Congress, not Palantir, will have to fix.