IT Life

A Dual-Edged Sword: Providing Information, Stealing Privacy

A former National Security Council cyberspace expert explains how government technology can be used to simultaneously provide useful data--and steal privacy.
Matrix may be insecure. No one relishes the possibility of unauthorized access to, or tampering with, highly sensitive personal information. Everyone is familiar with computer break-ins and virus attacks, but these are only a small part of a growing cybersecurity problem for our nation.

Naturally, Matrix takes pains to emphasize its impressive security features. Nonetheless, as a former National Security Council cybersecurity official, I know well how software vulnerabilities--sometimes secretly installed--can be used to break into and manipulate computers. Increasingly, cybercriminals and terrorists spend their time finding these vulnerabilities. Because of this, you should never believe any software developer who claims that a system is secure. And the fact that the Matrix software was developed by a company run by an alleged drug informer should make you even more concerned.

Matrix lacks oversight or citizen accountability. Organizationally, Matrix seems as if it were designed to deliberately obstruct any sort of citizen accountability, either to remove bad data or stop practices that incorrectly target innocent people.

Matrix officially is managed by the Florida State Police but is actually run by a private company (founded by that alleged drug-ring insider). This convoluted system doesn't have any public accountability--all the personal data is consolidated in private hands, and much of the data is bought from other private companies.

Even a state governor has been burned by Matrix. Employing the time-honored "need to know" principle, state bureaucrats decided that the new Utah governor didn't need to know about Utah's state police participation in Matrix. When she finally found out, Utah was out of Matrix within hours. At this writing, two more states have quit Matrix--but others are still considering joining it.

Matrix is only the beginning of a new wave of technologies. The technological capability to compile and analyze vast amounts of personal data, resulting in predictions of personal behavior, is here to stay. The private sector does this every day to predict and influence what we buy. What's different about Matrix is that its users can arrest or subpoena you, not just sell you cookies or cars.

So what should we do? Two paths would be most effective, each supporting the other.

In the short term, we need an understanding that Matrix, and other programs like it, require an effective, mandatory system of public oversight. Participating states must work together, perhaps under federal coordination, to create a system that includes independent--and effective--audits and regular public reports. A public governing board would ensure that such new law-enforcement systems work as they are claimed and that abuses are corrected immediately and publicly.

For the longer term, we need to begin a national discussion about the limits we want to place on the ability to gather, collate, and analyze trillions of pieces of personal data. Indeed, despite its other possible problems, the most troubling fact about Matrix is that it has emerged without a widespread public discussion about its implications. Congress should feel ashamed.

In the case of Matrix and its ilk, our time-honored standards of privacy are at stake, and they're rapidly deteriorating. We can shape this new technology, or let it shape us.

Which will we choose?

Jeffrey Hunker, Ph.D., was senior director for critical infrastructure at the National Security Council, specializing in cybersecurity. He is principal of Jeffrey Hunker Associates, consulting with both the public and private sectors, and is also professor of technology and public policy at Carnegie Mellon University. Dr. Hunker can be reached at [email protected] or through

To discuss this column with other readers, please visit the Talk Shop.