To catch a thief: Yale
computer science edition

Every day, the National Security Agency, the FBI, and even local police sweep up countless American cell phone records as they search for a terrorist or criminal needle in the haystack of innocent phone customers.

For some, the prospect of being a surveilled tuft of hay seems a small price to pay for protection from bombers and bank robbers. But three Yale computer scientists say it doesn’t have to be a trade-off.

“With the right existing technology deployed under the right policy framework, we can have both strong national security and strong privacy protections,” they write in their recent paper, “Catching Bandits and Only Bandits,” which they presented August 18 at the Workshop on Free and Open Communications on the Internet.

The three—graduate student Aaron Segal ’17PhD, assistant professor Bryan Ford, and computer science department chair Joan Feigenbaum—focus on the bulk collection of data, particularly records from cell phone towers.

In Colorado, federal agents used such bulk records to nab bank robbers known as the High Country Bandits. But, Ford and Feigenbaum note in the MIT Technnology Review, “the FBI intercepted cell-tower records of 150,000 people to find one criminal who had carried a cell phone to three robbery sites.”

Instead, they say, “the FBI could have quickly extracted the bandit’s number without obtaining data on about 149,999 innocent bystanders”—by using an “encrypted metadata search system” that they’ve developed.

The key to the system is that it has three keys—three encryption/decryption keys held by “independent authorities, such as the law-enforcement agency, the authorizing judge, and a legislative oversight body.” A computer protocol could still search through the hundreds of thousands of records to identify—in the High Country Bandits example—the single phone that was at each robbery site. But the FBI would see only that matching data; everything else would remain encrypted.

The Ford-Feigenbaum-Segal paper “is a welcome contribution to an important debate with global implications,” says Valerie Belair-Gagnon, executive director of Yale Law School’s Information Society Project.

“Their proposal provides legitimate ways for police and intelligence agencies to find the data that they need for criminal investigation while protecting users from unnecessary data collection,” Belair-Gagnon says in an e-mail to the Yale Alumni Magazine.

One question to consider, she adds: “Does the harm happen when the government collects the info or when it uses it?”

Other privacy experts give the proposal mixed reviews in an article on the website Quartz. The ACLU’s chief technologist calls it a step up from the status quo, but warns that the data protection would be imperfect. And a security consultant tweets about the inabiity of cryptography or other “technical forcing” to “limit how a powerful organization can act directly, without shifting the way social power is distributed.”

___________________________________________

The Yale Alumni Magazine is published by Yale Alumni Publications Inc., an alumni-based nonprofit that is not run by Yale University. Its content does not necessarily reflect the views of the university administration.