Civil libertarians like to call the USA PATRIOT Act a Big Brother nightmare come true. But if the rush by software companies to cash in on Congress' attempt to combat terrorism is any indication, it's not the government that privacy advocates should be watching with suspicion. It's the free market.
Witness one recent marketing campaign from database company Sybase: "Compliance with the USA PATRIOT Act has never been easier, thanks to Sybase's PATRIOTcompliance Solution," reads a promotion for the company's new anti-money-laundering product on its Web site.
Title III of the USA PATRIOT Act steps up the requirements for financial institutions -- banks, insurance firms, credit card companies -- to monitor customer transactions for suspicious activity. That means new markets for companies already peddling anti-money-laundering software, known as "AML solutions."
"Although the law imposes new burdens on banks, it is proving to be a boon for vendors of AML and related products and technology," wrote Breffni McGuire, a senior analyst for TowerGroup, a financial services technology research firm, in a report titled "The USA Patriot Act: Impact on AML Vendors and the Market." She reported that vendors saw inquiries about the technology rise 200 to 300 percent in the months following Sept. 11.
Monitoring for money laundering isn't as easy as simply flagging all wire transfers over $10,000. Bob Breton, a senior director of product strategy for the e-business division of Sybase, says that the PATRIOT Act has thrown down a gauntlet to financial institutions challenging them to know their customers better, without specifying exactly how they should do that: "This is forcing institutions to think more completely about their view of a customer. What kind of business are they in? What sort of transactions do they do? Who do they do business with? Are they writing checks to unusually named charities? That's the challenge: How do you determine what is normal?"
Financial institutions are also required to check their customers against known-terrorist watch lists, which is technically harder than it sounds. One bank initially flagged 20,000 customers, according to Breton, because they all lived in a city called Binfield -- which was just a little too close for comfort to Osama bin Laden.
But while the PATRIOT Act tells banks that they must have an anti-money-laundering program, an officer responsible for it, a training program, and an audit of their system, it doesn't tell them exactly what that program should consist of. "The regulations generally tell you what you need to do at kind of a 60,000-foot level," says TowerGroup's McGuire. "But they don't tell you how you should do it. And they certainly don't tell you what technology you need."
For software companies desperately looking for new markets during an industrywide recession, the PATRIOT Act, in conjunction with DARPA's ambitious Total Information Awareness data-mining scheme, is a godsend. Financial institutions, universities and government agencies are all feeling pressure to keep a closer watch for lurking terrorists. Welcome to the digital police state, shrinkwrapped by a Silicon Valley start-up near you.
There is plenty of incentive for companies to meet the new regulations by installing new software. They can avoid not only federal fines but also the stigma of being associated with shady transactions. Western Union and eBay's PayPal are two of the higher-profile cases so far of companies falling afoul of the PATRIOT Act.
Its vague yet sweeping requirements have made the PATRIOT Act a marketing opportunity for a slew of companies, including Mantas, SearchSpace, NetEconomy, ACI Worldwide, HNC Software, Prime Associates, and Sybase, among others. Prices for their software offerings, when consulting and installation fees are added in, range from the low five figures into the millions. Entire technical conferences are being thrown for "compliance officers" to find out about the latest anti-money-laundering solutions.
Financial organizations aren't the only institutions with a USA PATRIOT compliance to-do list that means business for software companies. Universities are also required to report regularly on the status of foreign students, directly to the federal Immigration and Naturalization Service.
PeopleSoft's PATRIOT Act Student and Exchange Visitor Information System Solution helps educational institutions comply with the new requirement for colleges and universities to inform the INS when foreign students go from full to part time, get married, or change their address.
"The concept of tracking foreign students was not new," says Kimberly Williams, the director of strategy for education and government for PeopleSoft, "but the PATRIOT Act required that they track more information than they had before and that they physically enter it into the INS system." PeopleSoft gives away the new code that helps its university clients communicate with the INS, as an upgrade to its Student Administration product.
Then there's the whole range of products that software companies are now selling directly to the government to help it monitor citizens. The Electronic Privacy Information Center, a public interest research group sued the Department of Defense under the Freedom of Information Act to obtain access to documents detailing which software companies, universities and research institutes had won contracts to create the virtual dragnet.
"We wanted to find out how these systems are being developed, who the developers are, what technology they propose to use, are they effective technologies and what the public can expect out of such a system," said Mihir Kshirsagar, a policy analyst with the Electronic Privacy Information Center.
The documents released so far list 23 entities -- including the consulting company Booz Allen Hamilton, Lockheed Martin Information Systems and the University of Southern California -- that stand to profit from the Total Information Awareness program by providing technology to the Department of Defense to carry out electronic surveillance projects.
But even the watchdog group that's monitoring the contracts has a difficult time interpreting just what the jargon in those documents -- a mishmash of buzzwords describing storage, collaboration and integration software -- adds up to. "It's actually hard to say what exactly these software vendors are supplying to the Total Information Awareness project," says Kshirsagar.
It's hard to fault software companies for looking for new markets, but some observers still find the spectacle of firms rushing to deliver spy software distasteful.
"Companies climbing all over each to be the first to sell the tools of surveillance to the government and to other companies is unseemly," says Cindy Cohn, an attorney for the Electronic Frontier Foundation. While the software companies enjoy the new demand for their PATRIOT-inspired solutions, the EFF has another solution in mind for the act; it's currently leading a letter-writing campaign in support of two members of the House who are calling for congressional hearings on the act.