By Jane Black On Jan. 29, Utah pulled out of MATRIX, the Multistate Anti-Terrorism Information Exchange, a database that allows law-enforcement officials to comb through information on individuals held by the state and commercial establishments. Utahans evidently were enraged to discover that the police could create dossiers that include a person's birth and marriage certificates, car registration, and address and credit history -- with one click of a button.
According to published reports, one man complained that he had received unwanted marketing solicitations based on information he had shared only with the Utah Department of Motor Vehicles. Other locals were seized by an amorphous fear of a system that, in the words of the American Civil Liberties Union (ACLU), amounted to "a body blow to the core American principle that the government will leave people alone unless it has good reason to suspect them of wrongdoing." Former Governor Mike Leavitt caught plenty of grief for having signed onto the program without alerting the public or even, apparently, his lieutenant governor, Olene Walker, who has since succeeded him.
Utah isn't the only state to back out of the controversial data-sharing plan. On Jan. 30, Georgia withdrew amidst a swirl of privacy concerns. Last September, California's attorney general declared that the system "offends fundamental rights of privacy." Of the 13 states originally involved in the MATRIX, only six -- Florida, Connecticut, Pennsylvania, Ohio, New York, and Michigan -- remain. (Four withdrew citing costs that could run to $1.8 million per year.)
BIRTH OF BIG BROTHER. There's no doubt that MATRIX raises privacy red flags, though after an extensive briefing by the Florida Law Enforcement Dept., which is spearheading the project, I believe that it's little more than an efficient way to query multiple databases.
The real furor over MATRIX demonstrates something much more important -- and surprising: Privacy advocates have gained a lot of ground in the two years since September 11. And the pendulum is swinging back in their favor.
It was in those dark days following the attacks on the World Trade Center and the Pentagon that many of the Big Brother programs were born. At the federal level, there was Total Information Awareness (TIA), the brainchild of former Admiral John Poindexter that aimed to combine every American's bank records, tax filings, driver's license information, credit-card purchases, medical data, and phone and e-mail records into one centralized database that could be scanned for suspicious behavior (see BW Online, 12/18/02 "Snooping in All the Wrong Places").
RECORD CHECK. Around the same time, we now know, the National Aeronautic & Space Agency (NASA), began research into a similar concept -- which it developed using Northwest Airlines (NWAC) passenger data (see BW Online, 1/28/04, "Putting a Stop to Fly and Tell"). These and other programs were attempts to make databases so intelligent that they could identify terrorists without human intervention.
Indeed, that was one of the ideas behind the MATRIX, as Mark Zadra, chief of investigation at the Florida Law Enforcement Dept., now says. In the weeks after September 11, Boca Raton database outfit Seisint, with the help of the FBI, the former Immigration & Naturalization Service, and the Secret Service, did develop software designed to unveil suspicious behavior, which it presented to the MATRIX board of directors in 2002, according to Zadra.
In early 2003, however, the MATRIX program's board of directors, which includes representatives from participating states, rejected the software, concerned that it was both too crude and that it would raise serious privacy issues. "The MATRIX is not whirring away at night to create a list of suspects that is placed on my desk every morning," says Zadra. "All it does is dynamically combine commercially available public data with state-owned data [such as driver's license information, sexual-predator records, and Corrections Dept. information] when queried. I can't imagine any citizen getting angry that we're using the best tools available to efficiently and effectively solve crimes."
CLOSING LIBRARY FILES. Neither can I. Still, the public is starting to demand less intrusive security and more transparency. Witness the Security & Freedom Ensured (SAFE) Act, a bill sponsored by Senators Larry Craig (R-Idaho) and Richard Durbin (D-Ill.) that was introduced last October. It aims to curb the most objectionable sections of the Patriot Act, the sweeping law passed just weeks after September 11 that expanded law enforcement's right to tap phones, monitor e-mail correspondence, and conduct secret searches (see BW Online, 11/29/01, "Uncle Sam Needs Watching Too").
The SAFE Act would, among other things, roll back "sneak-and-peek" searches that allow a search to take place without notifying the target. It would also establish expiration dates on nationwide search warrants and prohibit law enforcement from obtaining library records without cause. On Jan. 30, Attorney General John Ashcroft warned the Senate Judiciary Committee that President Bush will veto any legislation that curtails the Patriot Act.
Even if he does, challenges to government privacy invasions are bubbling up elsewhere. For instance, privacy activists are turning up the heat on the newest version of the Computer Assisted Passenger Pre-Screening System, or CAPPS 2. On Jan. 27, Deputy Secretary of Homeland Security Admiral James Loy was questioned about CAPPS 2 before a hearing of the National Commission on Terrorist Attacks on the United States. During his two-hour testimony, Loy acknowledged that 14.5% of all passengers are currently designated as "dangerous" and that CAPPS is "gameable" and might be compromised.
TRANSPARENCY NEEDED. Overseas, the European Union is threatening to stop cooperating with U.S. data collection if more privacy protections aren't put in place pronto. In particular, government sources close to the negotiations say the EU wants proof that Homeland Security's privacy office is independent and not subject to political pressures.
There's still a long way to go before the U.S. reaches an acceptable balance between privacy and public safety. First, as I've noted many times, the Bush Administration should abandon the notion that technology can unearth terrorists. Second, all government agencies that collect information need to be upfront about what they're doing and how they're doing it, rather than allowing programs with spooky names, such as MATRIX and Total Information Awareness, to be outed by privacy activists. Maybe they'll learn from MATRIX's demise. It's about time. Black covers privacy issues for BusinessWeek Online in her twice-monthly Privacy Matters column