DHS Privacy Office Report on MATRIX

The Privacy Office of the Department of Homeland Security has issued a report on MATRIX: The Multistate Anti-Terrorism Information Exchange. MATRIX is a now-defunct data mining and data sharing program among federal, state, and local law enforcement agencies, one of the many data-mining programs going on in government (TIA -- Total Information Awareness -- being the most famous, and Tangram being the newest).

The report is short, and very critical of the program's inattention to privacy and lack of transparency. That's probably why it was released to the public just before Christmas, burying it in the media.

Posted on January 3, 2007 at 11:58 AM • 6 Comments

Comments

Davi OttenheimerJanuary 3, 2007 1:07 PM

I suppose this is irrelevant to the report, but the first thing that jumped out at me (aside from the ridiculous name) was that the giant cover graphic has the shared 1 and Uplink ports both filled...no wonder they had trouble.

Reads like a typical postmortem for scary information systems projects:
1) unclear objectives
2) failure to adequately assess risks
3) lack of documentation/guidelines
4) weak authorization lines (e.g when to aggregate data) with no auditing

So they experienced scope creep/wander, ran right into predictable roadblocks, had to stop and write guidelines midstream, and grafted on audit/log capability at the end.

Although the report talks about a lack of transparency as the root of the problem, it seems to me it would have only helped if the project had also been able to address the four points mentioned above.

Most interesting, I thought, was that they moved from a centralized model to a more sensible decentralized (federated?) one where states could keep their own data, and they defined "authorized use" including a separation of public data from commercial. That lesson seems particularly relevant given recent news of unified database projects like OneDOJ

Mike WymanJanuary 3, 2007 1:49 PM

Bruce, the report states quite clearly that Matrix was not a data mining project. What's the source of your information that it was?

Bruce SchneierJanuary 3, 2007 2:12 PM

@ Mike

All the information we got about MATRIX talked about the data mining nature of the project. This report seems to only talk about the data sharing nature.

Post Mortem DumpJanuary 3, 2007 2:57 PM

The report basically admits that the program gave a misleading impression of its scope: "...the project was over-sold as a pattern analysis tool for anti-terrorism purposes..."

Overall this report sounds has similarly excellent recommendations to the report they did for Secure Flight. Basically: design in Privacy Act compliance from the start.

But I got a kick out of this one:
"Finally, they suggested that in the future, such programs think carefully about their name selection, since too many projects have used names that were inflammatory and did not accurately describe their purpose."

Carnivore. Matrix. Next up: "Fuzzy Bunny III", the warm, friendly datamine!

Aside from the move to a decentralized model which Davi Ottenheimer described, I'm also curious about this fact: "As of April 2005, only four states out of the original 13 Coalition states remained..."

Did the other states bail out because the handwriting was already on the wall, or because of local political pressure over privacy concerns (I highly doubt that), or because ultimately MATRIX was just not (cost-)effective in practice??

another_bruceJanuary 4, 2007 12:14 PM

forgive this slightly off-topic comment, but president bush did something on december 20 which should be of great interest to the fans here (of schneier, not bush). when signing the "postal accountability and enhancement act", which expressly forbids opening first-class mail without a warrant, he issued a "signing statement" reserving the right to open your mail and read it _without_ a warrant under "exigent circumstances".

http://www.nydailynews.com/news/wn_report/story/485527p-408789c.html

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..