One of the most controversial programs was the Total Information Awareness (TIA) initiative that was quietly launched in 2002 by the Defense Advanced Research Projects Agency but then abandoned in 2003 after Congress stopped funding for it following a public outcry.
William Perry, co-chair of the NRC committee that wrote the new report, said in a prepared statement that technology should be used as needed to combat terrorism. "However, the threat does not justify government activities that violate the law, or fundamental changes in the level of privacy protection to which Americans are entitled," he added.
The NRC committee didn't look specifically at any counterterrorism-related data mining initiatives, nor did it conduct any direct evaluations of behavioral surveillance tools being used by agencies. Instead, the report is based on a generalized study of the effectiveness of such technologies in identifying potential terrorists.
What the report highlights are the severe limitations of automated data mining techniques for counterterrorism purposes and their potential privacy impacts, said committee member Fred Cate, who is the director of the Center for Applied Cybersecurity Research at Indiana University.
Automated data mining tools typically work by searching through mountains of data in large databases for unusual patterns of activity, which are then used to predict future behavior. The tools have proved to be useful for commercial applications such as detecting payment card fraud and predicting purchasing trends, Cate said.
"We can look at 50,000 people buying television sets and know that many of them are going to be buying a DVD at the same time," Cate said. But using the same techniques to try to identify a potential terrorist is futile because there simply isn't enough historical data upon which to base any predictions, he claimed, adding that there is little information available about patterns that could reliably point to terrorist activity.
On the consumer side, "you have millions of examples of the target data you want to emulate, so you know certain patterns look like fraud," Cate said. "With terrorists, we fortunately don't have too many examples."