DARPA ignored privacy concerns

Defense Advanced Research Projects Agency Web site

The Defense Advanced Research Projects Agency failed to recognize the privacy sensitivities raised by the Terrorism Information Awareness program, according to a report released earlier this month by the Defense Department's Inspector General.

TIA, a project designed to collect information from disparate locations and sources to determine patterns that could indicate an impending terrorist attack, was effectively killed by the recent passage of the Defense Appropriations Bill, which cut funding for nearly all aspects of the program.

Despite its apparent demise, the content of the IG's report, "Information Technology Management: Terrorism Information Awareness Program," "remains applicable in the event that program concerns are resolved or DOD pursues similar technologies in the future," the report stated.

DARPA officials proposed in the fiscal 2004 budget an estimated $53.8 million in funding for development of TIA.

Researchers working on the program said in late September that the program died prematurely largely because the agency didn't better explain its uses and safeguards. At a Sept. 30 meeting of the Defense Department's Technology and Privacy Advisory Committee (TAPAC), researchers involved in the program gave details about their participation in an attempt to show that the much-maligned system was not the all-encompassing spy technology it had been made out to be.

However, the IG report said, "although the TIA technology could prove valuable in combating terrorism, DARPA could have better addressed the sensitivity of the technology to minimize the possibility of any governmental abuse of power and could have assisted in the successful transition of the technology into the operational environment."

The report recommended that DARPA and the undersecretary of defense for acquisition, technology and logistics conduct privacy impact assessments before this type of technology is developed in the future. The report also recommended the undersecretary to appoint a privacy ombudsman who will ensure that similar future technologies are scrutinized from a privacy perspective as a means of safeguarding individual privacy.

Anthony Tether, director of DARPA, said the Congressional inquiry which led to the IG's investigation did not fully address the issues surrounding TIA and that the concerns of Congress were unfounded to begin with.

"We recommend that the report explicitly state that DARPA was not developing a system for domestic law enforcement," Tether's response reads. "In addition, the [February 2003 Strategic Plan] and [May 2003] congressional report stated that any use would first have to be approved by Congress and other authorities."

Tether went on to say that DARPA didn't need to perform a privacy impact assessment because that requirement "does not apply to systems that involve intelligence activities."

"We believe, however, that a statement that any organization deciding to use TIA products should do a privacy impact statement if applicable, is warranted," he continued. "In the case of the current development partners, a privacy impact statement should not be required."

Originally called Total Information Awareness, TIA was designed to help national security analysts track and pre-empt terrorist attacks by spotting patterns in credit card and travel records, biometric authentication technologies, intelligence data and automated virtual data repositories.

Privacy advocates have sharply criticized the program, arguing that it could be used as a tool to spy on American citizens without the due process given more conventional surveillance techniques.