By Srinivasan K. Rangachary
The US Attorney General has issued new guidelines for the National Counter Terrorism Center ( NCTC), giving it fresh powers to datamine the US citizenry and to hold data which may have no bearing on terrorism for half a decade. The organisation was established in 2004 as part of the long- term response to 9/ 11, to serve as a hub for information sharing between US and foreign security agencies and generate more credible terrorism alerts.
It is the inspiration for the Indian organisation of the same name which P. Chidambaram untiringly campaigns for, in the teeth of controversy arising out of multiple fears, the latest being that it may compromise the federal powers of states. And so this development in the US is of considerable interest to us in India.
Earlier, the US NCTC had been empowered to use data from third parties like credit card companies and airport authorities in three ways. It could do a limited search itself, or it could request another agency to do the job. Or, if these threw up blanks, it could clone a whole database and run custom tests. Pattern analysis could not be used for the first two methods, only for the last. A potent tool, it does not need a starting point in the form of a suspect. It is a fast, deep algorithmic search for patterns of behaviour which are likely to be associated with criminal or terrorist intent. However, it is generally understood that it is not reliable without human interpretation.
The new guidelines promote the third method, which used to be the last resort, to the default. This means that pattern analysis can now be used to routinely correlate the activities of people across databases in a manner that amounts to massive invasion of privacy. In addition, the guidelines sharply increase the amount of time that the NCTC can hold private data on record, even when the subject of the data is not suspected of any wrongdoing. The last guidelines, issued in 2008, had restricted the period to six months, though technically, the system was supposed to forget data immediately after analysis. Now, the period has been extended to a whopping five years. In other words, the agency which collected the data will have erased it years before the NCTC does. This move will have several repercussions.
The NCTC will be empowered to do deep analysis of trends and patterns in the information stream — what amounts to sophisticated data mining.
It will also be able to correlate data not only across databases, but also across long spans of time, and thereby track changes in behavioural patterns. And most importantly, the NCTC will be encouraged to copy more and more databases from service providers and agencies both in the US and overseas and subject them to data mining on the off chance that future terrorist threats are unearthed.
From the point of view of the US citizen, this is perhaps not very problematic, especially if there is a payoff in the form of threat reduction. However, they may be slightly disturbed because these guidelines have been issued after 18 months of consultation within government, but with no legislative or public discussion.
But seen from outside the US, this is a problematic development. People from all over the world get on the radar of the US security agencies when they apply for visas or land in US airports. That’s all right, but if the NCTC also accesses databases outside the US, correlates and tracks their activities outside the US, this would amount to a serious breach of privacy at long distance, across borders.
The possibility is not so remote. In 2009, the data — mining silo of the FBI was found to contain unusual artefacts — itineraries of US and foreign travellers, declarations made to the treasury by casinos and banks, records of people who had stayed at Ramada Inns and Howard Johnsons, and reverse white pages listing 696 million people by their phone number.
This American issue of data privacy in the age of global terrorism interests us for two excellent reasons. One, data about Indians is likely to be copied and mined by the US NCTC. Not only data about Indians living in the US or visiting it, but even those who have never left Indian shores. This has always been possible, using pliant multinationals. The very companies and banks which bend readily to government pressure in the US can also be coaxed into parting with data collected by their Indian subsidiaries, partners and interests. And once the Aadhaar universal ID is in general use, it will be an even more rewarding activity, because data which is thus accessed will always be tied to reliable identity information, and possibly to a wealth of other, unsought personal data.
Secondly, we are replicating the NCTC here and will encounter the same question — without public consultation, should an organisation be allowed to change its rules governing the use of information about the public? Since it amounts to widening its powers to snoop on and manipulate sensitive private data, it is a significant issue.
The linchpin of an attempt to profile a citizen is the identity of that citizen, which means that the Aadhaar ID will be central. In order to allay public fears, its creators have repeatedly said that Aadhaar only establishes identity by a yes- no dialogue. It can only confirm or deny that an individual is who he or she claims to be, and will not answer other questions. However, the Aadhaar data is expected to be connected with other databases through a national grid overseen by the NCTC. These include records generated by various government authorities and private sector bodies — the police, the taxman, insurance companies, hospital administrations, banks, local governments, security agencies and so on.
To perform its counter- terrorist function, the NCTC would have to connect the dots. But if it does this wholesale, without beginning its investigations from an established threat and mining data in bulk as its US counterpart will now be empowered to do, it would routinely breach the privacy of innocent citizens.
The most important issue before organisations like the NCTC in countries deeply affected by terrorism, like the US and India, will not be how to fulfil their brief best. Rather, it will be the more delicate issue of how to do their job credibly without treading underfoot the rights and sensitivities of the innocent among their citizenry. INAV