A CIA-backed Las Vegas firm is pitching a new technology that it says could address many of the privacy problems brought on by the government's ever-growing need for information in the war on terrorism.
Systems Research and Development, a company known for helping casinos spot fraud, has developed a product called Anonymous Entity Resolution. It claims the technology can help investigators determine whether a terrorist suspect appears in two separate databases -- say, a government watch list and a hotel reservation system. And the company says it can make that determination without handing over the government list to the hotel, and without handing the reservation records over to the government.
SRD has shared the technology with the Department of Defense, which is reviewing its capabilities. The company has received investments from several agencies, including In-Q-Tel, the CIA's technology investment arm.
"It looks to be significantly exciting," said an unidentified Pentagon source familiar with the company and the technology. "We think it will alleviate some of the issues associated with privacy protection."
The system is unique, the official said, in that it applies "entity-resolution techniques" to data that's been scrambled for security reasons. The software sifts through data like names, phone numbers, addresses and information from employers to identify individuals listed under different names in sepearate databases. If, for example, a man named Rahmin Abdul rents a van, entity-resolution software can determine that he's the same person as Abdulahh Rahman included on a government watch list of suspected terrorists.
However, SRD's Anonymous Entity Resolution technology takes this concept one step further. It not only finds the information by comparing records in multiple databases, but also scrambles the information using a "one-way hash function," which converts a record to a character string that serves as a unique identifier like a fingerprint.
"All it tells them is that they have somebody in common," said Jeff Jonas, founder and chief scientist at SRD. "It doesn't tell them who."
Once a match is found, which happens when disparate records produce the same character string, agents can isolate those particular records without examining any other information.
A record that has been one-way hashed cannot be "un-hashed" back to the original record -- any more than "a sausage can be turned back into a pig," Jonas said.
This ensures that even if someone intercepted the scrambled records, he couldn't extract information from them. Thus, watch lists and corporate databases could be securely compared -- but not shared -- online.
"This could have a huge amount of value to all levels of government, as well as commercial companies," said Gilman Louie, CEO of In-Q-Tel, adding that he had "great confidence" in the technology, as well as in SRD's ability to "deliver the goods."
With privacy debates heating up in recent months over the extent to which law enforcement priorities trump civil liberties in the fight against terrorism, the technology seems well timed.
The Total Information Awareness program proposes to sift through vast quantities of citizens' personal data, such as credit card transactions and travel bookings, to look for terrorist activity. The program and other such proposals have run into a wall of privacy concerns erected by lawmakers, advocacy groups and the media.
"All the latest debates in Congress and among privacy groups, on the left and right, are about the government accumulating vast amounts of information, of being able to look through it willy-nilly," said John Slitz, SRD's chief executive officer.
But privacy fears extend beyond concerns about individuals' civil liberties. Intelligence agencies also want to keep their watch lists private.
"The greatest problem that has plagued government watch lists is that the creators don't want to give them to anybody," said Jim Dempsey, the executive director of the Center for Democracy and Technology. "This includes other government agencies."
The secrecy is often warranted. If, for example, the government gives a list of suspected terrorists to a few thousand companies, even if it requests that the list remain secret, there's a possibility it will end up in the wrong hands.
A watch list of suspected terrorists created after 9/11 by the FBI took on a life of its own after being distributed to select companies, showing up on the Internet long after many of the people listed on it were cleared of any suspicion.
The data in the watch list, because it was not dynamically connected to the source -- that is, the updated file in the agency's system -- inevitably became outdated.
Anonymous entity resolution could solve such problems, according to SRD. Using the technology, investigators could compare information from different databases, such as corporate accounts and government watch lists, without accessing information that either party wants to remain private. And the data in watch lists could be dynamically updated, removing the danger of outdated, static versions circulating in the public domain, he said.
However, Dempsey said the solution cannot address more fundamental privacy issues, like whether the data is accurate in the first place and how that data will actually be used by law enforcement. Moreover, it does not solve problems such as how a person can be removed from a list.
"It does give the government some benefit of constantly updated information, and it avoids the data maintenance, management, accuracy and staleness problems, as well as the sort of mission creep and privacy problems that come from the government accumulation of data," he said. "But there are still a huge number of other issues that this doesn't begin to address and that need to be addressed."
And, Dempsey warned, "Nobody should think that there is a single technical solution to the privacy and due-process issues that are associated with the government use of watch lists and commercial data in an effort to identify terrorists."
