As I write this post, details are starting to emerge about the man suspected of killing 7 people in 3 separate attacks in the area of Toulouse, south of France (for instance, see BBC article here). The details echo a familiar theme. This is someone who had come to the attention of law enforcement and placed under surveillance. With surveillance and compulsory data collection taking over more and more areas of our life, the question needs to be asked: If profiling can detect when a credit card has been stolen, or a customer is pregnant, why does it fail to stop terrorism?
In this post, I describe what is doable vs. what is acceptable, when it comes to using profiling to stop terrorism.
Surveillance
Mohammed Merah came to attention of the French authorities due to his travels to Pakistan and for expressing radical Islamist ideas (plus a number of non-terrorism related crimes).
The scrutiny of cross-border passenger traffic is an essential part of many countries’ national security programmes. It aims to block the entry of problematic individuals, such as terrorists.
While not new, the scrutiny of cross-border traffic assumed renewed importance following high profile terrorist attacks in the US, UK and elsewhere.
Profiling
Records of almost every aspect of our daily lives – from travel patterns, to financial transactions or communication and internet browsing activity – are collected and used to develop models of behaviour, the profiles.
These profiles are used to make decisions. For instance, if analysis of someone’s patterns of behaviour suggests association with terrorist organisations, law enforcement may decide to arrest that person.
A profile is deemed to be good when it leads to the right decision.
Can we use behavioural profiles to detect terrorism?
That was the topic of a panel in which I participated, at the Global Insecurities conference in Leeds, last September.
Also joining the panel was my colleague Alistair Fitt. With his applied mathematician hat on, Alistair described the challenge in 2 parts: 1) what is doable and 2) what is acceptable.
This is my take on the doable vs. acceptable discussion.
Is it doable?
To develop good behavioural profiles, analysts need to have well-defined models of the behaviour in question. In turn, that means that there needs to be a substantial number of past events to build the models on, and/or a clear cause-effect chain.
That is why profiling works so well in credit card fraud. The popularity of plastic money and the clear link between one card and its users, allows credit card providers to develop very good models of what is ‘normal’ behaviour for the users of any given card.
The same can not be said of terrorism. While there are some consensual definitions of terrorism, there is no unequivocal, agreed definition of what is a terrorist (as opposed to, say, a freedom fighter).
The ambiguity is even greater when it comes to ‘suspect’. There are many ways in which terrorists can express their opposition to a political, economic or ideological objective. That is, the behaviour being modelled is ambiguous.
Moreover, there are no clear, sure signs that someone is intent on attacking innocents. For instance, not all radical Islamists go on to kill, and not all terrorists exhibit extremist religious views – we only have to remember the 2011 attacks in Norway to prove the point.
Analysts also have to deal with secretive and deceptive behaviour, and ever changing forms of recruiting supporters (like the Jihad Jane case) and executing crimes.
In other words, there are many technical challenges to overcome.
Is it acceptable?
With such small samples of the behaviour being profiled, mistakes will occur. On the one hand, some criminals may slip through the net (false negatives). On the other, innocent citizens will face disruption (false positives).
With credit cards, the costs of false positives are felt by the same person who benefits from effective profiles. Therefore, there is tolerance for intrusive data collection and profiling practices, and acceptance of false positive errors.
That is not the case in terrorism profiling.
In terrorism profiling there are high economic and social costs of false positive errors. And there is only a tenuous link – or no link at all – between those that suffer the costs of false negatives and those that benefit from intrusive surveillance and profiling. That is, there is a clear imbalance between the risk and the reward of profiling and, with that, no support for the extremely expensive and highly intrusive surveillance activities that might prevent further terrorist attacks.
In summary, using profiling to prevent terrorism is hardly doable and largely deemed not acceptable.
Is there a role for profiling in the fight against terrorism, then?
Yes.
Time and time again, surveillance data has been used to prove criminal activity or dismantle criminal networks. Lives were saved as a result of effective profiling – though, we will never know for sure how many, where or when.
The problem, in my view, is not so much that surveillance occurs or that it is fallible. Rather, the danger is over-estimating the predictive power of profiling and using profiles to inform decisions for which they are not suitable – for instance, to fight benefit fraud.
What about you:
Does it upset you knowing that governments monitor your movements for security purposes? How is that different from knowing that commercial organisations monitor your purchases to shape their offer?
Ana Canhoto 
Great entry, Ana. And I’ve never really thought about how I feel about being monitored by the government. I suppose if it is for the greater good – to protect society (and I’m passionate about freedom from terrorism), I can live with being monitored.On the flip side, I think being monitored by organizations is a different matter. I don’t feel strongly about it either way. For instance, stores like Tesco get my money because I like earning points so I don’t mind being monitored on my habits and purchases. I see that this is ultimately for profit. But there is a clear difference between this and monitoring for terrorism.I’m reblogging your post to hear views from my blog readers! Hope you don’t mind 🙂
LikeLike
Hi Kemi,Yes, of course you can feature it in your blog. Let me know what your readers make of it.It seems that most of us (and I say ‘us’ – i.e., me included) really do not like the government collecting our passport data when we travel or snooping our internet browsing activity, yet will happily hand over a wealth of information to Tesco and the like, in exchange for a few pence off. We heavily discount the cost of a terror attack somewhere in the uncertain future, and highly value a few pence off our bananas in the present.By the way, a supermarket tried to get away from paying insurance to someone who slipped and fell in the shop, by using loyalty card data to suggest that the client might have a drinking problem! So, loyalty card data can actually work against the customers, too.Thanks for stopping by, Kemi. Let me know what your readers say.
LikeLike
Again a great and insightful post, Ana. Exactly why I love reading your blog. And a good question as well. I think I don’t really mind that data about me is collected, but I do have a problem with it being interpreted, especially because it can go wrong. What I would like is to be able to defend myself against the conclusions, and not being confronted with it suddenly. Now, I don’t expect that I’ll run into problems, but if someone analysing my data makes a mistake, or the model they use is wrong, I might. That I find problematic.My not really minding might also have to do with the fact that I understand how the process works and what the trade-offs are. But many don’t. A simple example is Facebook use. Many people think it’s free. But it is only free in the sense that an exchange of currency does not take place. You pay for the use by exchanging that for your data. And knowing that, you also know that no matter what privacy settings you have, Facebook can only thrive by collecting and using your data. So, even though I border on oversharing, there are simply things that I would never post to a social network.I think understanding this is important for people, and also for students. And that refers back to your earlier post on skills they’d need in the digital age.
LikeLike
That’s my problem, exactly. Mistakes will always happen – in the data collection itself or the interpretation of the patterns. Yet, some users don’t really understand the limitations of the profiles, and act on them when they really are not suitable. It is so frustrating when you try to argue against some decision informed by these profiles and you are told ‘but the computer says so and so; there is nothing I can do’…
LikeLike