[EAS]Suspicious Activities

pjk pjk at design.eng.yale.edu
Fri May 30 16:11:00 EDT 2003

Subject:   Suspicious Activities

This puts an instructive human face on the consequences we can
expect from data-mining activities such as the Terrorism Information
Awareness (TIA) program.
Also note the use of spelled-out email addresses, e.g. <chey at
patriot dot net> to prevent automatic harvesting of email addresses
for spam.  --PJK

(NewsScan Daily, 30 May 2003)

     In this week's column, our security experts Chey and Stephen
Cobb explain that the government will be looking for suspicious
people using the same techniques used by banks to identify people
who use stolen credit cards.
A few days ago, Chey presented her bank debit card to pay for some
purchases at Victoria's Secret, only to be told the transaction was
declined. This was not only inconvenient but confusing, since Chey
knew she had enough money in the account to pay for the items she
was purchasing. As regular readers of this column will know, we
believe in redundancy and backups as a hedge against problems with
computers and telecommunication systems, so Chey paid with a
different card. Then she came home and put in a call to her bank.
     The bank's customer service representative confirmed that her
account had been "blocked." The reason? Suspicious activity.
However, he assured her, this was nothing personal. No human being
was involved in making the decision to stop Chey shopping at
Victoria's Secret. In other words, "A hold was placed on your
account by the bank's fraud detection system, a huge cluster of
servers humming away in a distant data center, mining vast terabytes
of data for patterns that might mean something."
     And that is when we started to worry, not about the bank and
the minor embarrassment and inconvenience, but about our government
and our major rights. Specifically, we are worried about the right
to privacy and the Terrorism Information Awareness (TIA) program
(see NewsScan, May 21, 2003). This is a program to "revolutionize
the ability of the United States to detect, classify and identify
foreign terrorists and decipher their plans and thereby enable the
U.S. to take timely action to successfully preempt and defeat
terrorist acts."
     That is a quote from the military web site where the public
face of TIA resides, within the DARPA Information Awareness Office
(IAO). Having spent the last twenty years studying the all too often
wayward ways of computers and humans, we are not comforted to learn
that our government has asked the military to "imagine, develop,
apply, integrate, demonstrate, and transition information
technologies, components, and prototype closed-loop information
systems that will counter asymmetric threats by achieving total
information awareness that is useful for preemption, national
security warning, and national security decision making."
     A recent edition of The National Law Journal described TIA more
directly as "a five-year project to develop and integrate computer
technologies that will sift through public and private databases to
find patterns and associations that suggest terrorist activity. The
databases would include financial, medical, communications and
biometric (fingerprints, gait, iris) data. The technologies would be
used by intelligence, counterintelligence, law enforcement and
homeland security agencies."
     In other words, the government is going to be looking for
suspicious people the same way that Chey's bank looks for suspicious
account activity. Over the past ten years Chey's bank, and many
other institutions, including the cell phone companies, have
collectively spent billions of dollars refining automated fraud
detection systems. These systems are constantly improved because
competing vendors want to outscore each other on accuracy of
prediction, rejection of false positives, response times and so on.
We're confident Chey's bank uses something very close to
     Hence our concern when we learned that the suspicious activity
detected by this state-of-the-art system was, and we kid you not:
buying clothes after buying gas. The bank representative explained
that when people steal credit cards they often test them at a gas
station to see if they still work (pay-at-the-pump stations offer a
relatively risk-free way to do this). A successful test is often
followed by a shopping spree in up-market stores. While he
apologized for the inconvenience, the bank rep seemed surprised that
anyone would find the bank's action at all strange, even though Chey
was using her own debit card, to put gas in her own car, in the town
where she has lived for several years, and she just wanted to buy
some clothes at a store where she has shopped several times before.
     Now the government is going to spend hundreds of millions of
your tax dollars to develop a data mining system. We predict that
the system they create, if it ever gets to the deployment stage,
will not predict terrorist acts with any more accuracy than Chey's
bank predicted she was a thief. What the system almost certainly
will do is negatively impact the lives of many innocent people, in
ways much more disturbing than not being able to buy your first
choice in lingerie. At the same time, the privacy of everyone will
be invaded, particularly those of us accustomed to paying for things
with plastic.
     Since 9/11, airport security has been frisking people who buy
one-way tickets with cash, despite the fact that today's terrorist
is highly unlikely, for that very reason, to buy one-way tickets
with cash, just as tomorrow's credit card thief will probably avoid
shopping right after he or she fills gas. Just because computers can
beat humans at chess doesn't mean they can reliably predict what
humans will do in life, which is not a game. Terrorists are humans.
Fighting terrorism requires human solutions that address human
motives. Until the Beltway technocrats wake up to these facts, we
suggest you use cash when you shop at Victoria's Secret, or at least
gas your car the day before you go shopping.
     [Chey Cobb, CISSP, the author of "Network Security for
Dummies," is an independent consultant (www.cheycobb.com) and a
former senior technical security advisor to the NRO. She can be
emailed as <chey at patriot dot net>. Stephen Cobb, CISSP, developed
computer programs to audit oil companies in the early eighties.
Recently, he helped develop SpamSquelcher and the Trusted Email Open
Standard. He can be emailed as <scobb at eprivacygroup dot com.]

     To subscribe or unsubscribe to the text, html, or handheld
versions of NewsScan Daily, send the appropriate subscribe or
unsubscribe messages (i.e., with the word 'subscribe' or
'unsubscribe' in the subject line) to the addresses shown below:
     Text version: Send message to NewsScan at NewsScan.com
     HTML version: Send mail to NewsScan-html at NewsScan.com
     NewsScan-To-Go: http://www.newsscan.com/handheld/current.html


More information about the EAS-INFO mailing list