On April 9, 2003, I testified before the U.S. House of Representatives Permanent Select Committee on Intelligence at an open hearing entitled "Securing Freedom and the Nation: Collecting Intelligence Under the Law." There were several other witnesses at the table with me – mostly from privacy and civil rights organizations – and we had all been asked to present our views on the various new technologies that enabled the collection of large amounts of data that could be relevant to the threat of another terrorist attack – and 9/11 was still fresh in all our minds.
As we also might recall, at that point in time, most everyone was concerned about connecting the dots between the disparate categories of information – e.g., intelligence and law enforcement – and the sharing of terrorist threat relevant information between the various agencies at the federal, state and local level.
With that set up, here is the meat of my testimony, which essentially addressed the issue of Big Data and how we should deal with it to extract the threat relevant information from it consistent with privacy:
[W]e have to do two basic things simultaneously – evaluate and enable new technologies, and protect our civil liberties – and not do one at the expense of another.
Well, the Devil is in the details of how we do both, but even then the various approaches are not necessarily inconsistent. There are a number of ways to evaluate technologies in this context, and I suggest that we take a closer look at the way laboratories in the intelligence community create and evaluate technology that could affect civil liberties. As we know, such laboratories have in existence approved guidelines and procedures which this committee reviews, and which address these dynamics.
I'm not suggesting that this research should be done in intelligence laboratories, it should be done in the labs and organizations best suited for the work, wherever that is. I am saying that we have some very good models to follow and we should follow them.
Second: With regard to all new technologies that affect the privacy of Americans, we should stick with what we know; and again, I believe that we should look to the whole intelligence community and apply its thirty years of experience in dealing with "U.S. Person" information: what it is, who can collect it and under what circumstances, how it is disseminated and controlled. This is at least a place to start – even though these new technologies may well end up in some non-intelligence context.
Third: We should remember that there are significant differences between the technology to collect information, and the authority to collect it; also, that all information collection regimes need to be policed, and audit trails need to be created for which a senior person is accountable. In this context, new authorities may be needed for new technologies.
Finally, we also need to understand that the generalized assembly or collection of data is different than targeting a person or an activity. In fact, with so much data, and the technical ability to look at so much of it, the operative, and I submit, the legally relevant act, is ultimately how much the data is associated with an identity as it is the limitations on collecting or initially sorting the data.
In short, what we have with regard to new information technologies is far closer to the dynamics we have already confronted with regard to the collection and use of SIGINT (this refers to signals intelligence, the traditional work of the NSA) – and we should look to how we have structured that oversight regime for models for new oversight regimes, if we determine they are needed for new technologies.
These words are just as relevant and significant today as they were ten years ago – and maybe more so – especially the following basic ideas:
At the same time, there are lots of emotional and uninformed reactions to the media reporting of the Snowden disclosures concerning the work of the NSA; and frankly, there are also tactical uses of these same stories by some privacy advocates. None of this will be very helpful in the ultimate resolution of the latest conflicts – real or perceived – between privacy and national security. And, in the end, we will need to allow our intelligence committees and their professional staffs to do the dispassionate and objective work we insist they do, regardless of party politics.
However, and make no mistake about it, within today's Big Data is contained the threat relevant information we need to ensure our safety from the death and terror that knows no boundaries, nationalities, citizenship or age restrictions.
So, we need to be able to look at big data, sort it, analyze it, collate it and do whatever else we need to distill the threat relevant parts out of it – and, when it gets to the stage where the data is associated with an identity, we need to apply whatever safeguards and obtain the approvals that are then required and appropriate. In the end, we cannot – under any circumstances – allow threat relevant information (whether it's intelligence or not) to somehow hide because we have prevented ourselves from looking at it. However, the process we have established to look at it – which protects our privacy – is just as important.
Daniel Gallington is the senior policy and program adviser at the George C. Marshall Institute in Arlington, Va. He served in senior national security policy positions in the Office of the Secretary of Defense, the Department of Justice, and as bipartisan general counsel for the U.S. Senate Select Committee on Intelligence.