Feeling Insecure

The first time my name got me into trouble was in high school. A football player heard that I had taken his girlfriend out on a date, and rumor had it he was "gonna pound" me. When I met the big fella, it took a lot of time and people to convince him that he had the wrong Mark Hall, despite his 5-foot-10-inch girlfriend's denial she'd ever met my 5-foot-4-inch self. Recently, our sister publication CIO hired Mark Hall to lead its IT department. Congratulations have been coming in fast and furious -- and curious, because no one knew I had such skills. And our parent company, IDG, even sent me a cell phone destined for him. (Now, if only they'd send me his paycheck, too.)

So, you can see why I'm feeling nervous in this new era of heightened security. Oh, I don't mind the gun-toting guards in airports and at public venues. I've traveled abroad enough to be sanguine about seeing uniformed men and women toting Uzis and Glocks. What I fear are those armed and dangerous databases our government and commercial entities are compiling; they could contain false positives on "Mark Hall" and other innocents in the war on terrorism.

It doesn't comfort me to know that the Defense Advanced Research Projects Agency (DARPA) has changed the name of its Total Information Awareness (TIA) project to Terrorist Information Awareness. After all, TIA's intent remains the same: to create integrated and efficient access to information in various public and private data silos and process it in order to thwart terrorist plots. As DARPA researchers told Congress in late May, the agency can't guarantee "the accuracy and utility of any information retrieved by TIA's search tools, [but] consideration should be given, in implementation, to the quality of the databases to be queried." In short, false positives will persist, giving me nightmares that Donald Rumsfeld, a former champion wrestler, will someday come over to my house to pound me.

Then there's Regulatory DataCorp International LLC (RDC). Last year, Computerworld wrote about the newly formed commercial operation, noting that "Regulatory DataCorp will compile information from public resources, including international, federal and local law enforcement records. It will then sell access to the database to other companies so they can screen potential customers" .

RDC's users are primarily financial institutions that, by statute, must make every effort to weed out lawbreakers of all stripes. According to Chief Operating Officer Peter Nitze, as of last month, RDC already had "a little bit under 1.5 million names" in its database. Could "Mark Hall" be one of them?

Solving the false-positive problem in these massive databases isn't trivial. Stephen Brobst, chief technology officer at NCR's Teradata division, which is renowned for its monster databases, points to problems consumers have had with credit reports.

That's why Congress passed the Fair Credit Reporting Act, which gives us access to our credit histories to help assure us that they're accurate. It's unlikely that these counterterrorism databases will offer us equal protections.

But Brobst points out that the problem gets stickier because of the catastrophic risks of false negatives -- that is, likely terrorists and other nasty folks who aren't added to the database because the criteria for adding suspects are too conservative. As such, he thinks the tendency will be to protect against false negatives, increasing the odds of false positives.

Nitze agrees. That doesn't mean RDC ignores the problem. It uses human analysts, who receive more than a month of training, to review identical names by searching for data discrepancies to ensure that the good Mark Hall (that would be me) isn't mistaken for his evil twin.

This conundrum hasn't gone unnoticed inside the Pentagon. A Defense Department spokesman tells me, "It's quite possible for the Muslim equivalent of 'John Smith' to create false positives." So DARPA has also designed procedures to cull out the false positives. But the tendency for the creators of these applications is to err on the side of inclusiveness. In other words, the more "Mark Halls," the better.

It will take time and experience before projects like TIA and RDC are able to balance real security needs with the thorny problem of false positives, which waste their time and resources. In the meantime, I'm considering changing my name to Marcusian Halloflowskovich. Has a nice ring to it, don't you think? Mark Hall is a Computerworld editor at large. Contact him at mark_hall@computerworld.com.

Special Report

Tips From Security Experts

Stories in this report:


Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon