Ex-cop says makers of data-mining software must recognize intel rules

Companies that make data-mining software for local intelligence fusion
centers “don’t understand” police are required to observe decades-old
federal rules that restrict how certain computer systems containing
sensitive information can be used. That conclusion comes from a 25-year veteran of the
state police in New Jersey who now works for a company that sells
intelligence management products to the law-enforcement community.

[centerforinvestigativereporting.org] Stephen Serrao has visited and worked with several so-called fusion
centers, which Congress helped finance after Sept. 11 by making hundreds
of millions of dollars in federal homeland security grants available to
state and local governments. The idea is for police in your area to
better share essential information about possible criminal and terrorist
threats with their federal counterparts, poor communication being one
of the reasons why the terrorist hijackings were allowed to occur in the
first place.

Civil libertarians have repeatedly expressed concern that the centers
are stockpiling too much personal data about Americans who haven’t
committed a crime in the hope that some piece of it can be “fused” with
another to unravel a terrorist plot. Serrao and his colleagues counter
that organizations like the ACLU “have no clue” what’s actually being
collected and analyzed at fusion centers.

But Serrao in recent months has also written candid articles for
security industry media outlets that contained enlightening disclosures
while he intended to help fusion centers improve their capabilities.
Last year he raised questions about whether the centers had
consistently developed clear enough missions for what they wanted to
accomplish.

One center, he wrote, spent much of its time handing out driver’s
license photos to police who’d requested them because it turned out to
be faster than calling the DMV. “So, the center has resources tied up
sending out pictures,” he stated, “which leaves little to no resources
or time for checking to see if the suspect has any ties to Al-Qaeda. See
the problem?”

Centers elsewhere have spent a small fortune constructing facilities
with specialized walls, windows and locks so that personnel inside could
securely handle top-secret information. “Many fusion centers that will
never have to deal with top-secret information have been built to this
standard … Most centers are dealing with top secret data less than five
percent of the time. We are overbuilding and over-securing these centers
at significant cost, and it is causing great inefficiency.”

His latest commentary appeared July 22 on the Security Debrief blog
where Serrao described a recent trend among fusion centers to purchase
new data-mining tools – one of the very concerns civil libertarians have
about the centers. There are multiple data streams available to police
that have “separate and distinct laws governing what law enforcement can
and cannot do with them.”

To begin with, the tools these vendors are selling may not perform
functions that authorities want them to, he wrote, like properly
capturing “suspicious activity reports,” another emerging but
controversial development at fusion centers.

He goes on to say that many of the companies “don’t understand these
systems need to comply with [28 CFR Part 23],” federal standards that
govern how police intelligence can be used and shared. The guidelines
say that police can’t collect and broadly share intelligence
about an individual or group unless reasonable suspicion exists that
they are involved in criminal activity. Intelligence here is
distinguishable from other police work, such as material generated
during the investigation of a crime that’s already been committed.

Consider the difference between a husband investigated for murdering
his wife and a large gang suspected of supporting itself by trafficking
counterfeit consumer goods. The scope of inquiry can sweep in a greater
number of people, and with police power involved, authorities have a
responsibility to show that otherwise constitutionally protected
Americans deserve to be scrutinized by law enforcement for public safety
reasons. Rules controlling this data were conceived years ago following
an unsavory legacy of local police intelligence abuses
that led to lawsuits and changes in the law.

Which brings us back to data mining, a process that involves much
more than finding out if a perpetrator stabbed his beloved to death. Law
enforcement officials say the world has become more dangerous since
Part 23 first went into effect. Terrorists could be planning attacks in
any community across the country, they argue. Technology has made it
easier to collect and probe vast amounts of data that could be useful.
And with the right information in place to “connect the dots,” police
may be able curtail violent crimes before they occur, an extremely
popular concept among authorities at the moment known as
“intelligence-led policing.”

A fusion center in Massachusetts, for example, uses multiple
databases, including two that contain motor vehicle information and
insurance claims. The center distributed a pamphlet that says its personnel collect and
analyze information “from all available sources to produce and
disseminate actionable intelligence to stakeholders for strategic and
tactical decision-making in order to disrupt domestic and international
terrorism.”

That doesn’t necessarily mean Massachusetts is mining data, but
clearly fusion centers have transcended standard witness interviews from
everyday burglary investigations. And despite ongoing efforts to
improve protections for privacy and civil liberties at the centers,
Serrao very lightly suggests that at least when it comes to data mining,
it’s possible they’re pursuing new frontiers in law enforcement without
fully recognizing the need to respect individual rights:

Agencies want to ensure that they are holding data
consistent with all the rules and regulations. If the data-mining
technology companies have not considered any of the aforementioned
issues, their tools are putting fusion centers at risk of violating
statutes, laws and regulations.

Source: http://www.centerforinvestigativereporting.org/blogpost/20100730excopsaysmakersofdataminingsoftwaremustrecognizeintelrules