MATRIX has a strong information retrieval component, which is useful for states to share information across jurisdictional lines. But the predictive analysis component of the system -- which Tien said helped produce a list of 120,000 high-risk people in Florida -- is suspect. "You have nothing specific about anyone. You have no evidence the guy is a bad guy except for the characteristics the computer has selected."
Florida officials did not return calls for comment.
Tien said one difficulty in getting these programs to work is that little is known about terrorists. He said predictive technology can work well in situations such as credit card fraud because that's a common crime where factors are known and consistent. The same can't be said for terrorism.
The ACLU's Stanley said privacy concerns were the main reasons the nine states withdrew from MATRIX. Specifically some were concerned about the privacy implications of housing sensitive public data at a private company. But some legislators were just outraged that the program was instituted without legislative approval, he said.
It's imperative to develop clear privacy policies before implementing and testing predictive technology systems, according to Ruth David, CEO of Analytic Services Inc. (ANSER) and former CIA deputy director for Science and Technology
"In some cases, we've gotten the discussion of technology ahead of clear articulation and development of the policy that goes behind it," David said.
Complicating that process is that policies can shift drastically based on public perception. "It really is a problem, though, because the policy in terms of what is socially acceptable might change rapidly in case of an attack, and you can't develop technology like that overnight."
One solution is to further educate technology developers on how to include privacy protections in these systems from the beginning, she said. "They need to consider the privacy aspects. We somehow as a nation need to find a way to invest in and develop new tools, new technologies to aid law enforcement and security applications in parallel, and make sure they're proven before going operational."
One way to do that is to develop "dual benefit" technologies, David said. "When I say dual benefit, I'm really talking about how a solution is implemented so it yields benefit to daily operations and simultaneously enhances security."
That's important, she said, because terrorism is a low probability, but the threat can't be ignored. So systems that work for daily operations will be proven if and when they're needed for homeland security. David cited border security -- where an information management solution that tracks cargo could have benefits beyond security. She said speed of commerce could increase with a system that tracks cargo, and flags unfamiliar or unusual cargo thereby allowing familiar cargo to get through faster.
David believes systems such as CAPPS II and MATRIX fall short of those goals, but do have potential. CAPPS II could facilitate speedier travel for airline passengers, and MATRIX has day-to-day law enforcement benefits because of its information retrieval component. But the criticism of both programs and the difficulties associated with implementing them will not subside without some sort of consensus on policy.
"We very much need to have an informed debate about the policy issues and understand how to simultaneously build in the protections for personal privacy."