Bill to restrict federal data mining wins praise

Computerworld - Analysts applauded the intentions of a bill introduced in Congress this week seeking to place greater checks and balances on the government's use of data mining programs to combat terrorism. But they said it will have to be well crafted to be truly effective.

U.S. Sen. Patrick Leahy (D-Vt.), the new chairman of the Senate Judiciary Committee, and two of his colleagues proposed the Federal Agency Data Mining Reporting Act on Wednesday during a committee hearing on the privacy implications of data mining by federal agencies.

The bill, co-sponsored by Sens. Russ Feingold (D-Wis.) and John Sununu (R-N.H.), would require agencies to report to Congress on their development and use of data mining programs, thereby providing an "oversight mechanism," Leahy said in his opening statement at the hearing. Similar legislation was introduced during the last Congress but received "no attention," he said.

"This year, I intend to make sure that we do a better job," Leahy said.

Such legislation is overdue, said Orson Swindle, a former commissioner with the U.S. Federal Trade Commission and a policy adviser at Hunton & Williams LLP, a Washington law firm. "If ever there was a need for a bipartisan effort, it is now," Swindle said.

Data mining techniques may ultimately help the government in its antiterror efforts, Swindle said. But, he added, "oversight is essential." Care needs to be taken to ensure that there are proper controls for collecting and using data and that there is accountability for any misuse, he said.

The effectiveness of data mining in helping identify potential terrorists remains largely unproven, said Bruce Schneier, chief technology officer at managed service provider BT Counterpane in Mountain View, Calif. "But we can't even begin talking about that issue until we know the scope of the [data mining] being done," Schneier said. The proposed bill would at least "allow us to know what the heck is going on."

For any legislation to be effective, though, it has to cover issues such as justifying data mining programs and minimizing the amount of data being collected, as well as data retention and destruction, said Gartner Inc. analyst John Pescatore.

If a bill "just states things very broadly" and doesn't provide specific guidelines on what kinds of data can be collected and used, it may actually pave the way for government agencies to over-collect and misuse data, Pescatore said. "The CAN-SPAM Act was sort of like that," he noted. "In many ways, it made it easier for spammers."

At Wednesday's hearing, Leahy said that as many as 199 data mining programs are currently operating or being planned throughout the federal government. Among them are programs such as the U.S. Department of Homeland Security's Automated Targeting System for assigning "terror scores" to U.S. citizens and the Transportation Security Administration's Secure Flight program for analyzing data about airline passengers.

Without proper safeguards and oversight, "the American people have neither the assurance that these massive data banks will make us safer nor the confidence that their privacy rights will be protected," Leahy said.

Read more about it in government in Computerworld's IT in Government Knowledge Center.