Privacy in an Age of Terror

To track terrorists, government snoops will have to track you, too

Khalid Al-Midhar came to the attention of federal law enforcers about a year and a half ago. As the Saudi Arabian strolled into a meeting with some of Osama bin Laden's lieutenants at a hotel in Kuala Lumpur in December, 1999, he was videotaped by a Malaysian surveillance team. The tape was turned over to U.S. intelligence officials and, after several months, Al-Midhar's name was put on the Immigration & Naturalization Service's "watch list" of potential terrorists. When the INS discovered in August that Al-Midhar was already in the U.S., the FBI assigned agents to track him down.

By the time the FBI figured out where Al-Midhar was, downtown Manhattan was in flames, part of the Pentagon had been destroyed, and more than 5,000 people were dead. Racing to reconstruct the disaster, agents pulled the manifest of hijacked American Airlines Flight 77--and discovered that Al-Midhar had bought a ticket for the flight using his real name.

As politicians, businesspeople, and terrorism experts try to prevent the horror of September 11 from ever being repeated, they are taking a closer look at the story of Khalid Al-Midhar. Could the tiny shred of information about him--his name and his image--have been used to thwart the attack? The answer may be yes. Technology exists that, had it been far more aggressively deployed, might have tracked down Al-Midhar before he stepped on board the plane. The FBI's list of potential terrorists, for instance, could have been linked to commercial databases so that he might have been apprehended when he used his Visa card days before the attack.

The videotape of Al-Midhar also could have been helpful. Using biometric profiling, it would have been possible to make a precise digital map of his face. This data could have been hooked up to airport surveillance cameras. When the cameras captured Al-Midhar, an alarm would have sounded, allowing cops to take him into custody.

The aim of these technologies is simple: to make it harder for terrorists to hide. That's top priority now--and it's likely to drive a broad expansion of the use of intrusive security measures. Polls taken since September 11 show that 86% of Americans are in favor of wider use of facial-recognition systems; 81% want closer monitoring of banking and credit-card transactions; and 68% support a national ID card. But the quest for safety is also going to come at an incalculable cost to personal privacy. Any tool that is powerful enough to strip away the anonymity of Khalid Al-Midhar--one dangerous traveler among millions of innocents--will do the same thing to ordinary citizens. Their faces will have to be scanned by the same cameras, their spending habits studied by the same computers.

The war on terrorism is still in its early days, but one thing is already clear: In the future, information about what you do, where you go, who you talk to, and how you spend your money is going to be far more available to government, and perhaps business as well. "September 11 changed things," says former Federal Trade Commissioner Robert Pitofsky, one of the most forceful privacy advocates in recent decades. "Terrorists swim in a society in which their privacy is protected. If some invasions of privacy are necessary to bring them out into the open, most people are going to say, `O.K., go ahead."'

Across a wide range of battlefields, privacy is on the retreat. Many high-tech surveillance tools that were deemed too intrusive before September 11, including the FBI's "Carnivore" Internet eavesdropping system, are being unleashed. Pre-attack legislation aimed at protecting people from unwanted privacy invasions has been shelved, while Congress is on the verge of passing an anti-terrorism law giving cops broad new powers to wiretap, monitor Internet activity, and peer into personal bank accounts. The notion of forcing citizens to carry a national identity card--once anathema to America's open culture--is getting more serious consideration than ever in U.S. history.

These developments could wind up having profound implications for our democracy. Privacy involves the most fundamental issue in governance: the relationship of the individual to the state. Since the forefathers, Americans have been committed to the idea that people have the right to control how much information about their thoughts, feelings, choices, and political beliefs is disclosed. It's a matter, first and foremost, of dignity--creating a boundary that protects people from the prying eyes of the outside world. That, in turn, helps to shield religious minorities, political fringe groups, and other outsiders from persecution by the majority.

By reducing our commitment to privacy, we risk changing what it means to be Americans. To the extent that ID cards, databases, and surveillance cameras help the government track ordinary citizens, they may make people marginally less willing to exercise basic freedoms--to travel, to assemble, to speak their minds. "It's possible that through a tyranny of small decisions, we could make a nightmare society," says Harvard Law School Professor Laurence H. Tribe.

Of course, we're still a long way from that point. Although many civil libertarians worry that the era of Big Brother is dawning, polls show that Americans are still committed to personal privacy and are unwilling to give law enforcers a blank check. President George W. Bush quickly dismissed the notion of a national ID card. And a coalition of left- and right-wing libertarians gave the Anti-Terrorism Act far rougher going than most commentators initially expected. Furthermore, none of the proposals currently on the table--such as installing facial-recognition systems at airports or linking the FBI's databases to those run by the airlines--fundamentally threatens civil liberties.

But this is a rapidly evolving issue. We have already abandoned a number of old privacy taboos. If new attacks come and the U.S. is powerless to stop them, a mandate could develop for greater levels of surveillance. Here are some of the key areas in which personal privacy could begin to erode:

What You Do

No matter how hard terrorists try to keep a low profile, they live in the real world. The team that attacked the World Trade Center had to buy plane tickets, take flying lessons, communicate with one another, and draw money from bank accounts.

All of these moves leave traces on widely dispersed computer databases. That's why the tool that probably has the most potential to thwart terrorism is data-mining. Think of it as a form of surveillance that casts its eye on computer networks. If cops could survey the nation's computer systems and discover that a member of an extremist group also bought explosives and visited a Web site about building demolition, they might be able to halt a potential attack. Or if someone tried to purchase anthrax, the seller could run an instant background check.

Today, those databases aren't linked. The FBI's watch list of suspected terrorists hasn't even been connected to the INS or the State Dept., much less the private sector. A wide variety of laws and taboos has prevented the government from hooking up its files with those of airlines, credit-card companies, and private data-collection organizations. But that's already changing: On Oct. 11, INS chief James Ziglar told a Congressional committee that he is moving to link the agency's computers to the FBI's central database of bad guys. He also wants to require air carriers to submit passenger lists to the INS to prevent suspected terrorists from boarding U.S.-bound planes.

Some people, including Oracle Corp. CEO Lawrence J. Ellison, are recommending the creation of even broader databases. Other industry experts, all of whom stand to profit from such a plan, argue that such vast systems are already feasible. For example, Wal-Mart Stores Inc. and Kmart Corp. have databases containing over 100 terabytes of information about everything from sales to inventory to deliveries. That's the equivalent of about 200 billion documents--some 100 times larger than the Internal Revenue Service's commercial tax-filing database. "There are real-life data warehouses that absorb information in near real time, process it, and issue alerts within seconds or minutes," says Richard Winter, an independent expert on large database systems.

A key challenge will be developing sophisticated software to sift through the databases, pinpointing likely terrorists and suspicious behavior. Working together, a team of criminologists and software developers would need to design profiles of potential evildoers. That has been done in the past to track down serial killers and to thwart hijackings with mixed results. The airline industry's Computer Assisted Passenger Screening system (CAPS) failed to pick out almost all of the September 11 terrorists. But there's good reason to believe the technology can improve. Software maker Sybase Inc.'s new mining software can already analyze up to 1,000 variables, vastly increasing cops' ability to find the needle in a haystack of personal data.

Of course, there are huge political and legal hurdles to launching such systems. For one thing, government officials have a long history of abusing their power to collect personal information. Remember J. Edgar Hoover and Richard M. Nixon? For another, databases created for one purpose have a way of being reused in unintended ways. Files that Massachusetts accumulated about citizen health insurance claims, for example, had to be turned over to the tobacco industry when the state sued cigarette makers (though the state took steps to ensure that individuals' identities were masked). Over the long term, widespread deployment of data-mining will depend in large part on the ability of law enforcers to persuade the public that effective guidelines can be designed--and followed.

Who You Are

One of the most controversial issues on the privacy landscape is that of national ID cards. Many Americans are instinctively repulsed by the idea. Passion runs so strong on this issue that the government has repeatedly blocked efforts to use Social Security numbers for drivers' licenses, voter registration, and prison records. The fear is that the Social Security number would become the equivalent of a national ID card.

More than 100 other countries, many of them democracies, disagree. They come in many varieties. Germany, after the human rights abuses of the Nazis, takes a minimal approach. Cards contain basic information, including name, place of birth, and eye color. Malaysia, on the other hand, this year launched a project to issue 2 million "multipurpose" cards in Kuala Lumpur. A computer chip allows the card to be used as a combination drivers' license, cash card, national health service card, and passport.

That's only the beginning of what's theoretically possible. Given the power of digital technology, criminal records, immigration data, and more could be packed onto ID cards. In fact, they could contain so much data that they become the equivalent of portable personal files.

That's still a long way off. From a cop's perspective, ID cards are desirable because they make anticrime databases work better. As things stand now, one typing error at the airline check-in counter--say, John Smiht--and all the fancy efforts to unite Delta Air Lines Inc.'s database with the INS watch list don't add up to much. Forged drivers' licenses or passports--not to mention legitimate alternative spellings, such as Jon Smith or John K. Smith--produce the same problem.

A national ID card solves this by turning every person into a reliable data point for entry into larger databases. Once national ID cards are in place, airlines, explosives manufacturers, and border-crossing guards will know exactly which John Smith they are dealing with. So terrorists will have a harder time passing themselves off as ordinary citizens. True, ID cards can be forged. But that problem can largely be managed via "smart" cards equipped with computer chips that can store the cardholders' fingerprints or iris scans as biometric authentication devices.

The concern, of course, is that ID cards could lead the country down a slippery slope. Over the long run, say critics, they might be used as a platform for creating new databases. Starting with a card like, say, the one Malaysia just launched, governments could require the ID cards to be swiped into electronic readers every time people shopped, traveled, or surfed the Web and could accumulate an unprecedented quantity of information on their citizens.

For now, though, the question of a national ID card appears to be off the agenda, though it's nowhere near dead. Even some longtime civil libertarians are reevaluating. On Sept. 10, "I was a knee-jerk opponent of ID cards," says Harvard University law professor Alan M. Dershowitz. "Now, I've had to rethink the whole thing."

Where You Go

In recent years, scientists have made enormous advances in location-tracking tools. Surveillance cameras with facial-recognition software can pick out criminals in public places. Global positioning satellite (GPS) transponders in cars, boats--and one day, in handheld devices such as phones--send out signals identifying people's latitude and longitude to within 10 feet. Both of these technologies will flourish in an environment free of many of the privacy concerns that clouded their future before September 11.

So far, facial-recognition systems are used primarily in highly controlled situations as authentication devices, to vouch for the identities of workers entering, say, a nuclear power plant. They are not often used, especially in the U.S., as a general surveillance device in public places. Tampa police use them in high-crime districts. A few casinos have also installed them. But in the wake of the terror attacks, a security committee formed by Secretary of Transportation Norman Y. Mineta has recommended the aggressive rollout of facial-recognition systems in airports. But it's still unclear how useful they will be. They can still be tricked by people wearing fake beards. And they tend to generate too many false alarms. Unless these glitches get fixed, the devices may never be appropriate for high-traffic settings such as tunnels and bridges.

GPS is a different story. The technology works--and it has been rapidly spreading to new places. Before September 11, privacy groups and some legislators had been working to limit the ability of companies to collect location data from customers surreptitiously and to raise the legal standards for enforcement officials to subpoena this material. Those battles, for the time being, are lost causes. If GPS information helps track down terrorists, it will be collected.

Whom You Talk To

Law enforcers need the ability to find out with whom suspected terrorists are talking and what they are saying. That's why the government lobbied for the Anti-Terrorism Act, which gives the feds increased powers to eavesdrop on telephone calls and digital communications made through e-mail, online service providers, and digital devices.

Unlike facial surveillance, ID cards, or data-mining--which invade everybody's privacy--the government's new eavesdropping powers will primarily target known suspects. So they don't raise as many issues for the public at large.

There's one major exception: Carnivore, a technology the FBI uses to monitor e-mails, instant messages, and digital phone calls. Carnivore generated widespread controversy before September 11 for being too powerful. When installed on a suspect's Internet service provider, it searched through not only the suspect's Web activities but also those of people who used the same ISP. After privacy advocates complained, the FBI scaled back its deployment. Now, the brakes are off. There are widespread reports that the government has hooked up Carnivore to ISPs with minimal oversight. The government will probably soon demand that ISPs and digital wireless providers design networks to make them easier to tap. Just a few months ago, the FBI wouldn't have dared to ask. Now, such a move would barely make the papers.

Facial-recognition software. Data mining. National ID cards. Carnivore. For the near future, these technologies are going to be deployed as stand-alone systems, if at all. But we live in a digital age. All of these technologies are built on ones and zeros. So it is possible to blend them together--just as TVs, computers, video games, and CD players are converging--into one monster snooping technology. In fact, linking them together makes each one exponentially more effective.

A national ID card, for example, could be used to launch a new unified database that would track everybody's daily activities. Information culled from Carnivore could be stored in the same place. This super database, in turn, could be linked to facial-recognition cameras so that an all-points bulletin could go out for a potential terrorist the second the data-mining program detected a suspicious pattern of conduct.

Other, more futuristic new technologies could be added to the mix. Scientists will be able to make much more powerful surveillance devices if they're freed of the privacy concerns that have restrained them in recent years. Already, researchers are working on satellites that can read the unique color spectrums emitted by people's skin and cameras that can tell whether people are lying by how frequently they blink. Left unchecked, technologists could eventually create a nearly transparent society, says David J. Farber, a pioneering computer scientist who helped develop the Net. "All the technology is there," he says. "There is absolutely nothing to stop that scenario--except law."

To be sure, nobody is proposing such systems. And they are a long, long way from technical feasibility. But they are within sight--and no more far-fetched than, say, eBay Inc.'s auction-everything Web site was a generation ago. Indeed, unifying the various surveillance systems makes sense from a technological standpoint, and there's likely to be strong pressure, once the tools are in place, to try to make them work better.

As the U.S. enters the next phase of the war on terror, it is useful to keep this Orwellian scenario in mind, if only as a warning beacon of some of the hazards ahead. It is also reassuring to know that privacy principles developed in the past still apply in this new world. Surveillance can be checked by laws that require regular audits, that call for citizens to be notified when they're investigated, and that give people the right to correct information collected about them. That's the best way of guaranteeing that, in our efforts to catch the next Khalid Al-Midhar, we don't wind up with Big Brother instead.

By Mike France and Heather Green in New York, with Jim Kerstetter in San Mateo, Calif., Jane Black and Alex Salkever in New York, and Dan Carney in Washington

    Before it's here, it's on the Bloomberg Terminal.