The system of domestic counterterrorism law enforcement.

• Author: Morrison, Steven R.

Edward Snowden's recent leaks of the NSA's telephony metadata collection program, and the Internet surveillance programs PRISM and XKeyscore are only the latest iterations of the "big data" phenomenon. Arriving just in time for 9/11, new technologies have enabled government agencies to collect and aggregate massive amounts of information, usable in counterterrorism and domestic law enforcement alike. While such moves have probably stopped some terrorist plots, they also entail systemic inefficiencies that lead unavoidably to unjust results, in the form of both false positives and false negatives. This Article explains these inefficiencies by describing a complex positive feedback loop inherent in domestic counterterrorism law enforcement.

INTRODUCTION I. A SHORT HISTORY OF CRIME MAPPING II. LIMITATIONS OF SOCIAL NETWORK MAPPING A. Operator Bias B. Data Collection C. Determining Link Relevance III. NETWORK ANALYSIS AND ITS POSITIVE FEEDBACK LOOP A. General Crime Mapping's Positive Feedback Loop B. Counterterrorism's Positive Feedback Loop IV. COMPONENTS OF THE COUNTERTERRORISM LOOP A. Stabilizers. B. Positive Drivers C. Negative Drivers CONCLUSION: NATIONAL SECURITY VS. LOCALISM INTRODUCTION

During summer 2013, former National Security Agency contractor Edward Snowden treated the nation to a series of revelations about the National Security Administration's (NSA) domestic surveillance program. It began in June, when Snowden told the Guardian that the NSA obtained telephony metadata from telecommunications companies (1) and could capture individuals' Internet activities. (2) After numerous other revelations, (3) and admitted legal violations, (4) the latest news is that the NSA tested a program that could determine people's locational data through their cell phones. (5)

Much of the NSA's work is to discern what connections exist among people who are apparently unrelated. People with no connection to known or suspected terrorists may be pulled into surveillance through what is known as "hop" or "chain" analysis, in which analysts are taught to look at the records of the suspect, but also "the records of everyone he calls, everyone who calls those people and everyone who calls those people." (6) The bases for surveilling someone include mundane factors like "someone whose language is out of place for the region they are in" and "someone searching the web for suspicious stuff." (7)

This Article locates these post-9/11 surveillance moves in the larger system of domestic counterterrorism law enforcement of which the NSA programs are a part. This system is characterized by a complex, positive feedback loop that, over time, pulls more people into its orbit. This feedback loop is based on social network analysis, which has its historical roots in crime mapping. This Article summarizes that history, details the contemporary social network feedback loop, and explains how the loop produces inefficiencies in the form of false positives and false negatives.

It is held as truth that more data, if it is well-managed--that is, arranged in a useful way that reflects its true meaning--and effectively searchable, will inevitably improve law enforcement's ability to spot dangerous patterns and discern criminal intent.

This Article challenges that assumed truth on two fronts. First, data mining may not produce its presumed accurate results. Bruce Schneier, for example, has argued that data mining will produce wasted law enforcement efforts in chasing false positives, and will also produce false negatives, because all that data mining does is enlarge the haystack. When what you are looking for is a rarity--as terrorist plots, or at least attacks, are (9)--and its rate of occurrence relative to all environmental conduct is quite low, then enlarging that field will make detecting the rarity statistically even more unlikely. (10)

Second, the positive feedback loop resulting from counterterrorism law enforcement produces increasing systemic inefficiencies that (1) do not reduce data noise or reveal real criminal patterns; (2) reinforce the preconceived notion that such law enforcement does reduce noise and reveal patterns; and (3), as a result of (1) and (2), often lead to inaccurate targeting of suspects (either as false positives or false negatives). These results are inaccurate and inefficient law enforcement responses. Because this is a positive, or self-reinforcing, feedback loop, these three inefficiencies tend to grow over time, resulting in systemic instability.

These inefficiencies emerge because of the apparent, but unproven, reliability of the digital age mosaic database that allows the government to link suspects with each other in social network maps, whether they have an actual relationship or not. (11) The faith that the government gives to these linking efforts amounts almost to a fetish. (12) It is instantiated at trial as prosecutors invoke the global jihad movement, (13) a rhetorical tactic that is not entirely vacuous, accurate, or new. (14) In the 1950s, prosecutors alleged the existence of an "international Communist movement," (15) similar in form and function to the global jihad movement. Both were supposed to indicate a worldwide network of people, closely aligned in ideology and criminal purpose to destroy the United States. They both worked to enable prosecutors to allege damning conspiracies and introduce questionably relevant evidence thereof. (16) They both also retained currency as valid evidentiary tropes because observers believed that they signaled real foreign existential threats to democracy and society itself. (17) This expansive vision produces expansive law enforcement, and thus the feedback loop.

This loop starts with the assumption that a large number of people around the globe have the intent to engage in terrorist acts. Data mining and network mapping are the central (but not only) drivers of the loop. For example, law enforcement agencies profile certain groups, such as mosque attendees in the greater New York metropolitan area. (18) Agencies watch and infiltrate these groups and engage in data mining (through informants, undercover agents, suspects' Internet use, wiretaps, etc.), then deposit this data into aggregators like the Total Information Awareness (TIA) system, (19) the Multistate Anti-Terrorism Information Exchange (MATRIX), (20) and the Disposition Matrix. (21) Law enforcement then accesses this linked informational world and "connects the dots" (22) to discern veins of terroristic criminal intent or planning (XKeyscore may serve this connection function). The data mosaic is therefore remapped (or reimagined) to produce patterns that apparently reveal people with terroristic intent and their supposed affiliates. Law enforcement then locates a suspect, who has not "yet" committed any crime. Given the data mosaic, however, there is often enough evidence to charge the suspect with conspiracy, (23) providing material support, (24) making a false statement, (25) or an immigration violation. (26) If none of these charges are available, the government may arrest the suspect as a material witness. (27) With these arrests, the threat of the global jihad movement is reified and confirmed. (28) The global jihad movement and the evidence produced from the data mosaic assume evidentiary relevance and probity and therefore become the legal truth. (29) Having their initial suspicions confirmed, law enforcement agencies engage in more group targeting, more data mining, and more data aggregation. The feedback loop is complete, and is positive because it self-reinforces.

The system of counterterrorism law enforcement is unstable and therefore produces inefficiencies--specifically, it targets people who are innocent (or, as in the case of the targeted killing of Anwar al-Aulaqi, who may not have deserved the punishment imposed) and may not detect people who in fact have terroristic criminal intent. (30) The initial (and persistent) need to pursue terrorists just after 9/11 caused the government to engage in a set of law enforcement tactics, including but not limited to mosque infiltration, data aggregation, and racial and religious profiling. These tactics may or may not have been practically sound law enforcement decisions. They were, however, self-reinforcing, creating the positive feedback loop I describe. Some have commented that as the attacks of 9/11 recede, law enforcement responses to terrorism seem, counterintuitively, to be getting more and more normatively problematic. (31) The reason for this is that the feedback loop has been reinforcing initial law enforcement moves, resulting in a distancing from criminal law norms that have traditionally operated as system stabilizers. The problematic aspects of the feedback loop are often intractable because its origin was 9/11--a very real and deadly event.

1. A SHORT HISTORY OF CRIME MAPPING

   The United States' law enforcement efforts against terrorist networks partake of traditional descriptive crime mapping and contemporary predictive efforts. But this 9/11-era social network mapping is fundamentally different. It does not map where actual terrorists reside or where terroristic crimes were committed; rather, it maps connections among people, from the leaders of al-Qaeda to supposed wannabe terrorists in the heart of the United States, who are connected to the terrorist organization sometimes by only a few tenuous online relationships. (32) This mapping presumes the potential probative value of the theory of six degrees of separation. The theory goes: because only four people stand between me and bin Laden, I must be a terrorist.

   This network mapping is enabled by the digital age, which allows the government to amass and aggregate huge amounts of data about individuals around the globe. (34) This mosaic database (35) holds the promise that data noise will be substantially reduced, patterns of data indicative of terroristic intent or...