[IP] Solution for Gov't Security-Privacy Clash?
Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Thu, 11 Mar 2004 16:54:44 -0500
From: Pike236@xxxxxx
Subject: Solution for Gov't Security-Privacy Clash?
To: dave@xxxxxxxxxx
(Have I not heard this one before?? djf)
Entrepreneur Offers a Solution for Security-Privacy Clash
By Don Clark
1170 Words
11 March 2004
The Wall Street Journal
B1
English
(Copyright (c) 2004, Dow Jones & Company, Inc.)
JEFF JONAS is a junior-college dropout who once lived in his car for three
months after a company he started went bankrupt. Now, the Las Vegas
software developer is attracting surprising attention for a brainstorm
about a national-security dilemma.
The problem: Government agencies don't like sharing lists of suspected
terrorists or criminals. And companies, including airlines and hotels,
don't like letting agencies sift through lists of their customers in a hunt
for possible terrorists.
After years of helping casinos spot crooks, Mr. Jonas conceived of a way to
break that impasse. He has devised software that helps anonymously hunt for
names in databases. The technology is still being tested, but is
nevertheless generating buzz among both civil libertarians and security
zealots.
Mr. Jonas's system makes information anonymous. It's based on a
mathematical technique known as "one-way hashing," which can turn names,
addresses or other data into strings of digits that are almost impossible
to convert back to their original form.
Companies or government agencies could exchange such strings of digits
rather than words that humans can read. If an encoded file for a suspect
matches an encoded file for a passenger, the government could seek a court
order to receive the original record for that passenger's file.
Mr. Jonas's concept "is a potential breakthrough," says Jim Dempsey,
executive director of the Center for Democracy and Technology, a liberal
policy group in Washington. At the conservative Heritage Foundation, also
in Washington, legal research fellow Paul Rosenzweig agrees that the
approach "offers the possibility of a sort of silver bullet" for delicate
problems such as screening lists of airline passengers.
In-Q-Tel, the venture-capital firm funded by the Central Intelligence
Agency, has invested in Mr. Jonas's closely held company, Systems Research
& Development, or SRD. Another fan is Zoe Baird, the onetime Clinton
administration nominee for attorney general and president of the Markle
Foundation. The nonprofit organization, with input from Mr. Jonas and
others, has issued high-profile reports about using technology to improve
both national security and personal privacy. SRD's technology "helps with
both sides of that equation," Ms. Baird says.
Mr. Jonas, 39 years old, created his first program at 16 and his first
company at 18. He founded SRD in 1983, after rebounding from mistakes that
sunk the initial venture.
These days, SRD software is used by casinos to trigger alerts when someone
on Nevada's list of banned felons and mobsters makes a hotel reservation.
The idea is to establish "who is who," correcting for different name
spellings and other ambiguities -- in some cases, revealing multiple
identity records to be a single, suspicious individual. Another product
focuses on "who knows who," comparing people's records for links such as
past employment and residences. It's designed to send alarms, for example,
if a casino manager handed a contest prize to a former roommate.
In the late 1990s, Mr. Jonas was invited to give a talk at a government
technology conference. He says some SRD products were later adopted by
agencies he can't identify for purposes he wasn't told about -- though
sometimes officials call after a successful operation, without providing
details that could be used as an endorsement.
"They'll say something like, `You should be a proud American today,' " says
Mr. Jonas. "It's a marketing person's hell."
The Sept. 11 attacks spurred many new security ideas, beyond existing
measures such as the watch lists distributed to airlines. In general,
however, government agencies don't like sharing names with companies out of
fear of tipping off suspects.
Privacy fears are another issue. Congress, for example, last year cut the
funding for a Pentagon office, headed by retired Adm. John Poindexter, that
hoped to mine records about car rentals, ticket purchases and other
transactions for indications of terrorist activity. A more powerful system
for passenger screening devised by the Transportation Security
Administration has been hampered by airlines' reluctance to share passenger
data. In Europe, officials have resisted plans to share similar information
with the U.S.
With data-hashing, "you can hand your data to your worst enemy and they
don't have anything," says Kim Taipale, executive director of the Center
for Advanced Studies in Science and Technology Policy, a policy research
group in New York.
Stewart Baker, a former general counsel of the National Security Agency,
has co-written a paper arguing that such techniques could allow European
countries to share travel records without violating their strict privacy
laws. The SRD technology "is new in the policy debate," says Mr. Baker, now
a partner at the Washington law firm Steptoe & Johnson.
Hashing itself isn't new, nor is the concept of anonymization. But encoding
names and other data that have many potential variations -- and comparing
coded data on hundreds of millions of records -- seemed impractical. "This
is a humongous mathematical problem," says John Seely Brown, Xerox Corp.'s
former chief scientist and a trustee of SRD investor In-Q-Tel.
Mr. Jonas says a group of government computing experts summoned him last
year to disprove the idea. Though the meeting was scheduled for two hours,
he says he answered their objections in 15 minutes. One reason is that
SRD's software routinely simplifies data before processing it. More than
100 spellings of Mohammed, for example, would be linked to a single "root"
identity before any data-matching process, he says.
There are still plenty of hurdles. In some cases, Mr. Jonas says, companies
and agencies may be reluctant to exchange even anonymized data, since there
is a theoretical possibility that information could be gleaned through
statistical analyses about how frequently certain coded files occur in
databases. In that event, he predicts that third-party organizations will
be used to carry out searches using the hashed information.
Penrose Albright, assistant secretary in the Department of Homeland
Security, says he isn't familiar with SRD's technology, but adds that
anonymization of data is "an area we have a great deal of interest in." He
says, though, that SRD must prove that anonymous database searches can be
as fast as ordinary ones.
Mr. Jonas says three tests involving government agencies and companies will
soon begin, and that a number of applications are being studied, including
ones beyond the realm of security. Two banks negotiating to merge, for
example, might compare lists of coded records to see how many common
customers they had before exchanging identifiable names, he says.
Some people with intelligence experience, meanwhile, are enthusiastic about
the possibility of giving analysts information in a form that makes it all
but impossible for them to violate individual privacy. "Any time the
government takes possession of information it's possible for them to lose
track of what it was originally acquired for," says William Crowell, a
former NSA deputy director who is now a private consultant. "That's when
policies go awry."
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/