Not long after 19 terrorists boarded four airplanes on a rendezvous with infamy, Jeff Jonas asked himself a question: did officials have the necessary information to identify these killers before they took their seats back on September 11, 2001? Since Jonas's livelihood is fingering bad guys--the Las Vegas firm he founded, Systems Research and Development (SRD), helps casinos shut their doors to mobsters and card counters--he had his own ideas for exploiting information that had, in fact, been available before 9/11. First, he found that two of the terrorists, Nawaf Alhazmi and Khalid Almihdhar, flying under their real names, were on a State Department watch list. A third had the same address as Alhazmi; two others (including Muhammad Atta) shared a residence with Almihdhar. Five others had the same phone number as Atta. Another had the same frequent-flier number as Almihdhar. All in all, using the techniques that Jonas has perfected at SRD, 14 of the 19 terrorists might have been flagged as risks.
Given that experience, it's no surprise Jonas now finds himself at the center of a raging debate over the use of databases in fighting terrorism. He's gone from a guy who started a small tech business in his old Mercedes 300D to a CIA-funded entrepreneur who's built a business based on ferreting out bad guys, with a recently concocted twist--to protect people's privacy in the process. This would help address a vexing post-9/11 problem: on one hand, it's clear that with proper knowledge, it's possible to weed out potential wrongdoers before they fly, check into Disneyland or appear on a reality-television show. But in order to do this, authorities must sift through vast warehouses of personal information, public and private. Privacy advocates say the trade-off isn't worth it--the systems so far haven't stopped terrorists, and the Orwellian risks of allowing the government to dip into databases are too great. Unanswered in all this are two key questions: is the technology really good enough to catch bad guys on the spot, and is there any way to use this stuff without encroaching on civil rights?
Enter Jonas, a 39-year-old thrice-divorced single father who dresses in black, trains for Ironman races and thinks geek. He has a bagful of systems to address the problem, including one to figure out whether someone is who he says he is, one to figure out who a person is connected to and another to tackle the aforementioned privacy problem. Fans of the underdog will appreciate his backstory. Jonas was a high-school dropout and a teenage programming entrepreneur whose first company went bust when he was 20. He promptly started his next venture, SRD, though he was living in his car at the time. After years of work, he took on an assignment to help track the marine life in the huge aquarium at the Las Vegas Mirage. While working there, he learned that casinos were having trouble identifying people on their watch lists. So he began creating a software system to address that problem. First came a scheme that uses a person's data trail to verify if he really is who he says he is. Then he created what came to be NORA (Non-Obvious Relationship Awareness), a scheme that races through oodles of data to figure out if people are connected with unsavory characters. And it does all this in mere seconds. The casinos were delighted. "The record speaks for itself," says Mirage spokesman Alan Feldman. "We have zero problems."
A system like NORA seems to have antiterrorist potential, and in January 2001 the CIA invested in SRD. At first, "we treated it as a flier--the day after 9/11, though, it was a different discussion," says Gilman Louie, CEO of In-Q-Tel, a venture fund bankrolled at about $35 million a year by the Company. Louie says that unlike other antiterrorist data-mining schemes being peddled "by every Tom, Dick and Harry," NORA was different. Other schemes try the fuzzy trick of figuring out what hypothetical terrorists might do and try to find them by looking at the behavior of a population. Jonas's system focuses on identifying real suspects and the people to whom they are linked.
With In-Q-Tel's help, SRD now has government customers that Jonas isn't even permitted to acknowledge. They seem to be happy, but of course that's classified. Spook types will tell Jonas sotto voce that his software has yielded significant successes, but they can't tell him what they are. Nor can Jonas tell outsiders what event precipitated FBI chief Robert Mueller's signing the commendation hanging in his SRD office.
After 9/11, Jonas served with bigwigs like Wesley Clark on a Markle Foundation task force, National Security in the Information Age, and became engaged in the privacy problem. His response was to invent ANNA ("NORA's little sister," he explains), a system that "anonymizes" data by an encryption technique called hashing. Because the data are scrambled, private records can be shared with the government and secret watch lists can be distributed to private entities, all without fear--because they can't be read. But the encrypted records can be processed to find matches, however, and when there's a hit between, say, a coded entry on a hashed terrorist list and an entry on a similarly hashed hotel reservation, then authorities (with a judicial go-ahead) can ask the owners of the original databases for the identity of the suspect (graphic).
ANNA is only one of several interesting approaches to melding privacy with data mining. Some hard-line privacy advocates are skeptical: "A switch to anonymize can be set to de-anonymize," says Marc Rotenberg of the Electronic Privacy Information Center. But others see the still-untested system as a significant contribution in the privacy-versus-security debate. "ANNA is the real thing," says Stewart Baker, a former National Security Agency general counsel.
Jonas has a lot of time to work on ANNA because in 2002 he turned over SRD's reins to a new CEO, John Slitz, a veteran of IBM and Novell. Slitz is gearing to sell technology to corporations in financial services, health care and insurance. This month SRD also announces an alliance with ChoicePoint, the alpha player in using information to nail fraudulent customers and vet potential employees. Though ANNA isn't part of the initial launch, ChoicePoint vice president Jim Zimbardi says that it's "a terrific tool," and is testing it for implementation as early as this year.
Techniques like anonymization, of course, only partly address the data-mining dilemma. There are other avenues such as audit trails to track who's making the queries, and, perhaps most important of all, firm rules embodied in law that limit the use of personal information. Even then, all that data mining can do is keep us safer, not safe. Jeff Jonas's recent experiences in dark rooms have driven that lesson home to him. "Technologies like ours are just Band-Aids," he says. "The real problem is hundreds of thousands of people who are brought up to hate us." That's something even geeks can't fix.