|
Bruce Schneier, one of America's foremost authorities on secure systems and digital safeguards, examines both the danger and the ludicrous nature of recent changes in the US Dept. of (In)Justice policy toward accurate data. Following Schneier's examples below, it's easy to see how systems without strong accuracy requirements can run amok. Yet the DoJ has done away with requirements that the FBI ensure its data is timely and accurate. But it gets worse. According to Schneier:
[...] This kind of thing is already happening. There are 13 million people on the FBI's terrorist watch list. That's ridiculous, it's simply inconceivable that a number of people equal to 4.5% of the population of the United States are terrorists. There are far more innocents on that list than there are guilty people not on that list. And these innocents are regularly harassed by police trying to do their job. And in any case, any watch list with 13 million people is basically useless. How many resources can anyone afford to spend watching about one-twentieth of the population, anyway? [...]
The very notion that there are 13 million terrorists is absurd. It's highly suspect that even 10%, or 1.3 million, of the listed people are terrorists by any rational definition. No, what we have here is something entirely different -- a group of powerful, paranoid, infomaniacal officials covering their ass without regard to the consequences or impact of their actions on American citizens or their constitutional rights.
According to Schneier, over 80,000 law enforcement agencies have access to this database. On average, there are 2.8 million transactions processed each day. Just think about your local deputy, or court clerk, or minimum wage secretarial assistant entering your data into one of these systems and hitting the wrong key. Think it matters? Think you can get it fixed? Just ask Mike Hawash.
Terrorism databases and the fallacy of the false positive. Schneier runs down the statistical problems of keeping terrorist-suspect databases:
To see this, let's walk through an example. Assume a simple database -- name and a single code indicating "innocent" or "guilty." When a policeman encounters someone, he looks that person up in the database, and then arrests him if the database says "guilty."
Example 1: Assume the database is 100% accurate. If that is the case, there won't be any false arrests because of bad data. It works perfectly.
Example 2: Assume a 0.0001% error rate: one error in a million. (An error is defined as a person having an "innocent" code when he is guilty, or a "guilty" code when he is innocent.) Furthermore, assume that one in 10,000 people are guilty. In this case, for every 100 guilty people the database correctly identifies it will mistakenly identify one innocent person as guilty (because of an error). And the number of guilty people erroneously listed as innocent is tiny: one in a million.
Example 3: Assume a 1% error rate -- one in a hundred -- and the same one in 10,000 ratio of guilty people. The results are very different. For every 100 guilty people the database correctly identifies, it will mistakenly identify 10,000 innocent people as guilty. The number of guilty people erroneously listed as innocent is larger, but still very small: one in 100.
[Boing Boing Blog]
|
