Now that we have discussed some general considerations regarding agent- enabled surveillance and the legal framework it is time to turn our attention
1 United States Department of Justice v. Reporters Committee,489 US 749 (1989).
2 Rapsheets are criminal identification records maintained by the FBI that contain descriptive information as well as a history of arrests, charges, convictions, and incarcerations.
to the discussion about dealing with the individual quantitative effects of agent-enabled surveillance.
9.2.1 Efficient monitoring and data gathering
In both the Netherlands and the United States the legal framework for elec- tronic surveillance and privacy determines under what circumstances (per- sonal) data may be monitored and gathered by law enforcement agencies. Technological developments that enable law enforcement agencies to gather data more efficiently put pressure on the existing legal framework. We have determined in chapters 7 and 8 that automated surveillance and data gathering, made possible by agent technology, will most likely change the scale and effectiveness of surveillance. As mentioned in subsection 9.1.3 this development may force us to rethink the legal framework as a whole. It is therefore best to recognise the effectiveness of agent-enabled surveillance and data gathering as a quantitative effect of agent-enabled surveillance and address this issue in the broader context of electronic surveillance, privacy, and liberty.
In my opinion agent-enabled surveillance changes the severity of monitor- ing and data gathering as an investigative method. I feel that this new that reality must be reflected in the legal framework. With regard to the legal framework of the Netherlands this could mean that the use of software agents for online surveillance purposes would fall outside the scope of article 2 Police Act 1993. With regard to the legal framework of the United States it would mean applying stricter rules in theAttorney General’s Guidelinesfor automated surveillance.
Furthermore, the fact that software agents can greatly expand the scale on which data can be monitored and gathered, may also force us to limit the scope of their application. We can do so, for instance, by stipulating in the legal framework that it must be sufficiently clear which data sources may be monitored or accessed by software agents. A second way to limit the power of agent-enabled data monitoring and gathering is by explicitly excluding certain sources or types of data. Furthermore, a limit should be placed on the duration of agent-enabled monitoring and data gathering. The best way to effectuate these rules is by programming them directly into the reasoning model of the agent.
When it comes to setting the rules for agent-enabled monitoring and data gathering we must take two different situations into account. The first situation deals with monitoring and gathering data from the internet. Software agents can gather data by accessing data sources on those parts of the internet that are accessible to the public (e.g., webpages, public chatrooms, and news- groups). Since these data are readily accessible there are currently few pro- cedural requirements that law enforcement must meet before data can be
gathered.3Once data has been lawfully gathered the normal rules for using
police data apply. The second situation deals with gathering information from sources that are private.4 If software agents are to collect data from these
private sources they must base their actions on specific authorities found in the law of criminal procedure. In the legal framework of the Netherlands and the United States these provisions contain specific procedural requirements. In my opinion software agents must also meet these procedural requirements. For instance, when in the physical world a law enforcement officer makes a demand for private sector data, he must present the data controller with a warrant. The same rules should apply to software agents. To ensure the agents rightfully obtain private sector data they must identify themselves and provide proof of their authority (for instance, by presenting a digital warrant).
9.2.2 Effective data exchange and data mining
Since the power of agent-enabled data mining is evident, we must ensure that the law restricts excessive use of this technology. Currently, the legal frame- work in both the Netherlands and the United States set forth the rules for data- mining exercises by law enforcement agencies. When it comes to regulation in the area of data exchange and data mining we arrive at roughly the same conclusion as we have seen in the previous section on agent-enabled data monitoring and data gathering. When the effectiveness of agent-enabled data mining surpasses that of traditional data mining it may be necessary to rethink the legal framework as a whole.
One quantitative effect of agent-enabled data exchange and data mining that should definitely be taken into consideration is the ease with which information sources can be linked and integrated. Oftentimes there is no need for extensive data-mining exercises but rather targeted searches in different distributed databases. The easy accessibility of information made possible by agent-enabled data-exchange will have a significant impact on the effectiveness of surveillance, and will facilitate the use of subject-based inquiries. In parti- cular in the United States where private-sector databases are readily accessible by law enforcement agencies, this development is significant. In addition, the fact that the Patriot Act, for instance, sanctions the free exchange of data between law enforcement officers may lead to a situation where the increased accessibility of information could have considerable consequences for privacy and liberty. Recent legislative changes in the Netherlands have also increased the accessibility of private-sector databases. Therefore, lawmakers and policy- makers should reconsider whether the current legislative framework provides adequate protection in the light of this development. If not, legal barriers need
3 Also see subsection 9.3.3.
to be erected to prevent the further integration of databases and curtail an agents ‘freedom of movement’. By placing limits in the legal framework on which databases may be accessed and integrated by agents, we create artificial barriers that reduce the accessibility of information.
Apart from setting artificial barriers in the legal framework to reduce the accessibility of information, there are several techniques that can mitigate possible negative effects of agent-enabled data mining. Taipale (2003) gives a good overview of the three most relevant techniques,viz. rule-based pro- cessing, selective revelation, and strong credential and audit mechanisms. I explicitly note that these solutions are of a technical nature, not a legal nature. Rule-based processing
Rule-based processing technologies allow the incorporation into the technology itself of policy judgements as to how, when, where, and for what purpose particular information can be accessed (Taipale 2003, p. 60). An added benefit is that rule-based processing is particularly well suited for implementation in software agents. By using rule-based processing software agents can query distributed databases according to pre-determined rules, and make use of labeled data to ensure appropriate processing when data is exchanged (Taipale 2004, p. 7). By implementing rule-based processing into the software agent architecture we can create ‘normative agents’. A normative agent is an agent that is able to take into account the existence of social norms in its decisions (either to follow or violate a norm) and able to react to violations of the norms by other agents (Castelfranchiet al.1999). An excellent example of the use of normative agents for data mining is theANITAproject mentioned in chapter 4. Selective revelation
The idea of selective revelation is based upon technologies and procedures that separate transactional data from identity or otherwise reveal information incrementally (Taipale 2003, p. 63). This technology is particularly useful when pattern-based inquiries are used. When pattern-based inquiries turn up infor- mation footprints that suggest deviant behaviour (e.g., a constellation of transactions that can be associated with the preparation of a terrorist attack), the identity of the person involved can be shielded from those that do not have the proper authority to view it. Only after a judge has determined that a basis exists for concluding that the pattern identified is, in fact, a pattern of potential terrorist activity and not merely a coincidental pattern of innocent activity ought the identity of the actor whose pattern is in question ought to be provided to law enforcement or intelligence officials (Rosenzweig 2003, p. 15). In this way, the use of selective revelation techniques can mitigate the possible negative effects of non-particularised searches by permitting a judicial due process between the observed behaviour and the act of revealing identity
(Taipale 2003, p. 66). It is also possible to build these techniques into agent technology itself, which further adds to the idea of normative agents.5
Strong credential and audit mechanisms
Transparency and accountability are essential requirements set forth by the legal framework. Through strong credential features we ensure that any possibilities for misuse and abuse are minimised. Strong audit measures ensure that possible misuse or abuse can be detected and corrected. These mechanisms must be built into the technology itself. Software agents must be equipped with tamper-proof mechanisms for reporting their actions to an appropriate oversight authority (Wahdan 2006).
9.2.3 System integration
The primary legal issue related to system integration is the fact that the inte- gration of different surveillance systems can have effects on privacy and liberty that are not anticipated in the current legal framework. However, in this stage of the development it is difficult, if not impossible, to draft legislation that will counter possible negative effects of system integration that are caused specifically by agent-enabled surveillance. Any regulation of surveillance that is based upon distinctions in discrete technologies will become less effective in a future where systems are integrated to an increasing extent. I believe that the focus should not be on which technologies are used for surveillance, but rather on how surveillance systems impact the balance of power between the watchers and the observed when integrated. Therefore, we must place the issue of system integration in the broader perspective of the debate about electronic surveillance, privacy, and liberty. As I have described in chapter 1 techno- logical barriers to system integration acted asde factosafeguards for privacy and liberty, when agents remove these barriers the legal framework must be re-evaluated in the light of this new reality.
With the advent of the ambient intelligence paradigm, we move closer to an environment where ubiquitous surveillance is not only possible, but also highly likely. In order to minimise any panoptic effects of surveillance that can result from this development, and in order to limit the power of govern- ment, I feel we must limit the room for system integration in the law. We must be particularly cautious to avoid that the surveillant assemblage, with its multitude of different surveillance infrastructures, becomes an instrument used by the government to exercise social control. While it may be justified in certain cases to use private surveillance infrastructures for the purpose of combating
5 Although selective revelation protects privacy and liberty to a certain extent, it does not provide protection against panoptic effects.
serious forms of crime and behaviour that pose a great threat to law and order (e.g., organised crime and terrorism), we must take care not to abuse liberal surveillance infrastructures for disciplinary purposes. Setting clear boundaries in the law of criminal procedure to the integration of disparate data sources is highly recommended. In particular we should limit the pro-active use of private sector surveillance infrastructures for disciplinary surveillance. While in the case of anti-terrorism it might be warranted to use private sector sur- veillance infrastructures pro-actively, I feel we should be extremely cautious and regularly review the use of such powers.
9.2.4 Empowering surveillance operators
Aiding surveillance operators in their tasks is one of the primary applications of agent technology. It is likely that the empowerment of surveillance operators is one of the first quantitative effects that will play a significant role in the near future.
The main question raised by this quantitative effect is how much more effective law enforcement officers and surveillance operators become as a result of using agent technology, and how we should view the authority of sur- veillance operators and law enforcement officers in the light of their increased effectiveness. Based on the answer to this question, we must then assess whether the legal safeguards that accompany a particular authority are still sufficient in the light of agent technology. If not, the authority of the sur- veillance operator or law enforcement should be revised and take into account the use of agent technology.
Possible adaptations would primarily entail removing the authority of the surveillance operator or law enforcement officer to use certain investigative powers, and limitations on the use of agent technology as described in sub- section 9.1.1. Exactly how far-reaching these adaptations should be will remain subject of debate, since an answer to this question (as with most quantitative effects) is primarily of a normative, political nature and involves balancing the effectiveness of law enforcement against the protection of privacy and (individual) liberty. Moreover, it is difficult to set any clear boundaries at this point in time since the use of agent technology by surveillance operators and law enforcement agencies is still in its infancy.
One limit on the use of agent technology that should already be set at this stage is that the authority of the software agent does not exceed that of its user. For instance, if the user (a surveillance operator or law enforcement operator) is not allowed to access certain databases, the software agent should also not be allowed to access these databases.
We can judge from this section that the basis for the regulation of agent- enabled surveillance lies in the authority of law enforcement officers to use agent-enabled surveillance. Any safeguards that are to be implemented in the
legal framework will thus be dependent on the legal status of agent-enabled surveillance. Since this discussion is so closely related to the qualitative effects of agent technology (i.e., the legal status of agents), I shall discuss this topic further in subsection 9.3.1.
9.2.5 Replacing surveillance operators
From a legal point of view, the replacement of surveillance operators by agent technology altogether, is comparable to the situation where surveillance operators become more effective. Once again we must take into account the change in the effectiveness of surveillance that is caused by agent technology and consider the legal status of the agent-enabled surveillance practice in the light of this development.
It could be argued that by removing the surveillance operator from the picture we also remove his authority. If this is the case, the use of the agent- enabled surveillance method is no longer based on any explicit authority, and could thus be deemed to have no basis in the law. If this were to be the case the use of agent-enabled surveillance methods that replace surveillance operators would need to be based on an explicit authority in the law. Per- sonally, I am in favour of this approach. In my opinion the replacement of surveillance operators by agent-enabled surveillance systems that have the ability to operate continuously can have a significant impact on privacy and liberty. Following the above reasoning would force the legislator to enact a specific statutory provision to deal with the situation. Through such a provision more specific rules can be enacted that deal with any quantitative effects the replacement of surveillance operators may have. Moreover, it seems to be in line for instance with the approach the Dutch legislator takes toward electronic surveillance technologies. In the Netherlands the use ofCCTV, a technology that effectively takes away the need for patrolling, has a separate status in the law of criminal procedure.6One final consideration might be that by giving
software agents a specific statutory basis we also provide room for more advanced applications of agent technology that could replace human operators farther in the future (i.e., undercover software agents).
Once again we see that the legal status of agent-enabled surveillance is highly relevant, therefore I shall now turn to a discussion on the legal responses to the qualitative effects of agent-enabled surveillance.
6 While I am in favour of a separate legal status for agent technology it is my opinion that it should be as technology independent as possible.
9.3 DEALING WITH THE QUALITATIVE EFFECTS OF AGENT-ENABLED SUR-