Terrorist watch lists should be put in the cloud, analysts say

A decade after 19 al Qaeda members hijacked four passenger jets in the deadliest terrorist attack on U.S. soil, security experts say cloud computing and other technological advances -- not legislative moves -- are needed to bridge the gaps remaining in the nation's terrorist watch lists.

The various lists of suspicious characters federal agencies use to screen individuals are culled from one central clearinghouse known as the Terrorist Identities Datamart Environment, or TIDE. That repository regularly receives nominations from the intelligence and law enforcement communities and processes the information into a composite list of names called the Terrorist Screening Database. Names on the consolidated list are divided up among several derivative watch lists, such as the No Fly list, based on more stringent criteria.

Although the mechanism for vetting suspects has grown significantly more robust since the Sept. 11, 2001, attacks, holes remain, partly due to international privacy concerns, according to researchers. In addition, each breakout list contains some disparities because of continued uneasiness about sharing sensitive information and challenges in updating the lists in real-time, they said.

"9/11 was, by some accounts, an issue of false negatives, where the people who were not on watch lists should have been," said Seth Stodder, former policy and planning director for the U.S. Customs and Border Protection. Now, sometimes false positives create "too many John Smiths on the terrorist list."

"One big institutional issue with regard to watch lists is essentially [defining] your tolerance for risk," he said.

Some security analysts said one way to allay security and privacy fears would be to encrypt identification data -- rendering it indecipherable to intruders -- and then segment that protected information online, in the cloud, for instant sharing.

There is "a need to continually hone the watch listing environment so everyone is getting what they need without security or privacy breaches, some of which themselves cause gaps due to the traditional fear amongst those within the intel community to share information when sourcing may be sensitive," said Janice Kephart, national security policy director at the Center for Immigration Studies, a group that favors reducing immigration.

She said she is "hopeful that there are many problems cloud computing, alongside dynamic keys" for decoding the encrypted data, will solve in terms of watch list upkeep.

On Wednesday, Government Accountability Office auditors reported progress in the Transportation Security Administration's efforts to prescreen passengers traveling to, from, or within the United States against terrorist watch lists.

But some European Union officials, for privacy reasons, have said they would like to restrict the sharing of passenger data with the United States. Stodder, now a senior fellow at The George Washington University's Homeland Security Policy Institute, said such civil liberties concerns and other security issues do not mean Congress should rewrite the counterterrorism surveillance USA PATRIOT Act and create new privacy laws.

"They are not really legal problems, they are more policy concerns," he said. Also, "technology over time is going to allow us to be much more privacy protective."

Indeed, watch list maintenance should be viewed as a public policy decision as much as an intelligence decision, said Paul R. Pillar, a 28-year veteran of the intelligence community who until 2005 served as national intelligence officer for the Near East and South Asia.

"I'm thinking, in particular, of the effect on the traveling public," said Pillar, currently a security studies professor at Georgetown University. The selection methodology for the No Fly list "is not a decision that a government agency can make solely as an intelligence matter," he said. "It is ultimately a political issue in terms of how much security we want to buy."