Entries Tagged "national security policy"

Page 54 of 59

DHS Privacy Office Report on MATRIX

The Privacy Office of the Department of Homeland Security has issued a report on MATRIX: The Multistate Anti-Terrorism Information Exchange. MATRIX is a now-defunct data mining and data sharing program among federal, state, and local law enforcement agencies, one of the many data-mining programs going on in government (TIA—Total Information Awareness—being the most famous, and Tangram being the newest).

The report is short, and very critical of the program’s inattention to privacy and lack of transparency. That’s probably why it was released to the public just before Christmas, burying it in the media.

Posted on January 3, 2007 at 11:58 AMView Comments

New Congress: Changes at the U.S. Borders

Item #1: US-VISIT, the program to keep better track of people coming in and out of the U.S. (more information here, here, here, and here), is running into all sorts of problems.

In a major blow to the Bush administration’s efforts to secure borders, domestic security officials have for now given up on plans to develop a facial or fingerprint recognition system to determine whether a vast majority of foreign visitors leave the country, officials say.

[…]

But in recent days, officials at the Homeland Security Department have conceded that they lack the financing and technology to meet their deadline to have exit-monitoring systems at the 50 busiest land border crossings by next December. A vast majority of foreign visitors enter and exit by land from Mexico and Canada, and the policy shift means that officials will remain unable to track the departures.

A report released on Thursday by the Government Accountability Office, the nonpartisan investigative arm of Congress, restated those findings, reporting that the administration believes that it will take 5 to 10 years to develop technology that might allow for a cost-effective departure system.

Domestic security officials, who have allocated $1.7 billion since the 2003 fiscal year to track arrivals and departures, argue that creating the program with the existing technology would be prohibitively expensive.

They say it would require additional employees, new buildings and roads at border crossings, and would probably hamper the vital flow of commerce across those borders.

Congress ordered the creation of such a system in 1996.

In an interview last week, the assistant secretary for homeland security policy, Stewart A. Baker, estimated that an exit system at the land borders would cost “tens of billions of dollars” and said the department had concluded that such a program was not feasible, at least for the time being.

“It is a pretty daunting set of costs, both for the U.S. government and the economy,” Mr. Stewart said. “Congress has said, ‘We want you to do it.’ We are not going to ignore what Congress has said. But the costs here are daunting.

“There are a lot of good ideas and things that would make the country safer. But when you have to sit down and compare all the good ideas people have developed against each other, with a limited budget, you have to make choices that are much harder.”

I like the trade-off sentiment of that quote.

My guess is that the program will be completely killed by Congress in 2007. (More articles here and here, and an editorial here.)

Item #2: The new Congress is—wisely, I should add—unlikely to fund the 700-mile fence along the Mexican border.

Item #3: I hope they examine the Coast Guard’s security failures and cost overruns.

Item #4: Note this paragraph from the last article:

During a drill in which officials pretended that a ferry had been hijacked by terrorists, the Coast Guard and the Federal Bureau of Investigation competed for the right to take charge, a contest that became so intense that the Coast Guard players manipulated the war game to cut the F.B.I. out, government auditors say.

Seems that there are still serious turf battles among government agencies involved with terrorism. It would be nice if Congress spent some time on this (actually important) problem.

Posted on January 2, 2007 at 12:26 PMView Comments

Automated Targeting System

If you’ve traveled abroad recently, you’ve been investigated. You’ve been assigned a score indicating what kind of terrorist threat you pose. That score is used by the government to determine the treatment you receive when you return to the U.S. and for other purposes as well.

Curious about your score? You can’t see it. Interested in what information was used? You can’t know that. Want to clear your name if you’ve been wrongly categorized? You can’t challenge it. Want to know what kind of rules the computer is using to judge you? That’s secret, too. So is when and how the score will be used.

U.S. customs agencies have been quietly operating this system for several years. Called Automated Targeting System, it assigns a “risk assessment” score to people entering or leaving the country, or engaging in import or export activity. This score, and the information used to derive it, can be shared with federal, state, local and even foreign governments. It can be used if you apply for a government job, grant, license, contract or other benefit. It can be shared with nongovernmental organizations and individuals in the course of an investigation. In some circumstances private contractors can get it, even those outside the country. And it will be saved for 40 years.

Little is known about this program. Its bare outlines were disclosed in the Federal Register in October. We do know that the score is partially based on details of your flight record—where you’re from, how you bought your ticket, where you’re sitting, any special meal requests—or on motor vehicle records, as well as on information from crime, watch-list and other databases.

Civil liberties groups have called the program Kafkaesque. But I have an even bigger problem with it. It’s a waste of money.

The idea of feeding a limited set of characteristics into a computer, which then somehow divines a person’s terrorist leanings, is farcical. Uncovering terrorist plots requires intelligence and investigation, not large-scale processing of everyone.

Additionally, any system like this will generate so many false alarms as to be completely unusable. In 2005 Customs & Border Protection processed 431 million people. Assuming an unrealistic model that identifies terrorists (and innocents) with 99.9% accuracy, that’s still 431,000 false alarms annually.

The number of false alarms will be much higher than that. The no-fly list is filled with inaccuracies; we’ve all read about innocent people named David Nelson who can’t fly without hours-long harassment. Airline data, too, are riddled with errors.

The odds of this program’s being implemented securely, with adequate privacy protections, are not good. Last year I participated in a government working group to assess the security and privacy of a similar program developed by the Transportation Security Administration, called Secure Flight. After five years and $100 million spent, the program still can’t achieve the simple task of matching airline passengers against terrorist watch lists.

In 2002 we learned about yet another program, called Total Information Awareness, for which the government would collect information on every American and assign him or her a terrorist risk score. Congress found the idea so abhorrent that it halted funding for the program. Two years ago, and again this year, Secure Flight was also banned by Congress until it could pass a series of tests for accuracy and privacy protection.

In fact, the Automated Targeting System is arguably illegal, as well (a point several congressmen made recently); all recent Department of Homeland Security appropriations bills specifically prohibit the department from using profiling systems against persons not on a watch list.

There is something un-American about a government program that uses secret criteria to collect dossiers on innocent people and shares that information with various agencies, all without any oversight. It’s the sort of thing you’d expect from the former Soviet Union or East Germany or China. And it doesn’t make us any safer from terrorism.

This essay, without the links, was published in Forbes. They also published a rebuttal by William Baldwin, although it doesn’t seen to rebut any of the actual points.

Here’s an odd division of labor: a corporate data consultant argues for more openness, while a journalist favors more secrecy.

It’s only odd if you don’t understand security.

Posted on December 22, 2006 at 11:38 AMView Comments

American Authorities Secretly Give International Travellers Terrorist "Risk" Score

From the Associated Press:

Without notifying the public, federal agents for the past four years have assigned millions of international travelers, including Americans, computer-generated scores rating the risk they pose of being terrorists or criminals.

The travelers are not allowed to see or directly challenge these risk assessments, which the government intends to keep on file for 40 years.

The scores are assigned to people entering and leaving the United States after computers assess their travel records, including where they are from, how they paid for tickets, their motor vehicle records, past one-way travel, seating preference and what kind of meal they ordered.

The program’s existence was quietly disclosed earlier in November when the government put an announcement detailing the Automated Targeting System, or ATS, for the first time in the Federal Register, a fine-print compendium of federal rules. Privacy and civil liberties lawyers, congressional aides and even law enforcement officers said they thought this system had been applied only to cargo.

Like all these systems, we are all judged in secret, by a computer algorithm, with no way to see or even challenge our score. Kafka would be proud.

“If this catches one potential terrorist, this is a success,” Ahern said.

That’s just too idiotic a statement to even rebut.

EDITED TO ADD (12/3): More commentary.

Posted on December 1, 2006 at 12:12 PMView Comments

A Classified Wikipedia

A good idea:

The office of U.S. intelligence czar John Negroponte announced Intellipedia, which allows intelligence analysts and other officials to collaboratively add and edit content on the government’s classified Intelink Web much like its more famous namesake on the World Wide Web.

A “top secret” Intellipedia system, currently available to the 16 agencies that make up the U.S. intelligence community, has grown to more than 28,000 pages and 3,600 registered users since its introduction on April 17. Less restrictive versions exist for “secret” and “sensitive but unclassified” material.

Posted on November 15, 2006 at 6:41 AMView Comments

Total Information Awareness Is Back

Remember Total Information Awareness?

In November 2002, the New York Times reported that the Defense Advanced Research Projects Agency (DARPA) was developing a tracking system called “Total Information Awareness” (TIA), which was intended to detect terrorists through analyzing troves of information. The system, developed under the direction of John Poindexter, then-director of DARPA’s Information Awareness Office, was envisioned to give law enforcement access to private data without suspicion of wrongdoing or a warrant.

TIA purported to capture the “information signature” of people so that the government could track potential terrorists and criminals involved in “low-intensity/low-density” forms of warfare and crime. The goal was to track individuals through collecting as much information about them as possible and using computer algorithms and human analysis to detect potential activity.

The project called for the development of “revolutionary technology for ultra-large all-source information repositories,” which would contain information from multiple sources to create a “virtual, centralized, grand database.” This database would be populated by transaction data contained in current databases such as financial records, medical records, communication records, and travel records as well as new sources of information. Also fed into the database would be intelligence data.

The public found it so abhorrent, and objected so forcefully, that Congress killed funding for the program in September 2003.

None of us thought that meant the end of TIA, only that it would turn into a classified program and be renamed. Well, the program is now called Tangram, and it is classified:

The government’s top intelligence agency is building a computerized system to search very large stores of information for patterns of activity that look like terrorist planning. The system, which is run by the Office of the Director of National Intelligence, is in the early research phases and is being tested, in part, with government intelligence that may contain information on U.S. citizens and other people inside the country.

It encompasses existing profiling and detection systems, including those that create “suspicion scores” for suspected terrorists by analyzing very large databases of government intelligence, as well as records of individuals’ private communications, financial transactions, and other everyday activities.

The information about Tangram comes from a government document looking for contractors to help design and build the system.

DefenseTech writes:

The document, which is a description of the Tangram program for potential contractors, describes other, existing profiling and detection systems that haven’t moved beyond so-called “guilt-by-association models,” which link suspected terrorists to potential associates, but apparently don’t tell analysts much about why those links are significant. Tangram wants to improve upon these methods, as well as investigate the effectiveness of other detection links such as “collective inferencing,” which attempt to create suspicion scores of entire networks of people simultaneously.

Data mining for terrorists has always been a dumb idea. And the existence of Tangram illustrates the problem with Congress trying to stop a program by killing its funding; it just comes back under a different name.

Posted on October 31, 2006 at 6:59 AMView Comments

Air Cargo Security

BBC is reporting a “major” hole in air cargo security. Basically, cargo is being flown on passenger planes without being screened. A would-be terrorist could therefore blow up a passenger plane by shipping a bomb via FedEx.

In general, cargo deserves much less security scrutiny than passengers. Here’s the reasoning:

Cargo planes are much less of a terrorist risk than passenger planes, because terrorism is about innocents dying. Blowing up a planeload of FedEx packages is annoying, but not nearly as terrorizing as blowing up a planeload of tourists. Hence, the security around air cargo doesn’t have to be as strict.

Given that, if most air cargo flies around on cargo planes, then it’s okay for some small amount—assuming it’s random and assuming the shipper doesn’t know which packages beforehand—of cargo to fly as baggage on passenger planes. A would-be terrorist would be better off taking his bomb and blowing up a bus than shipping it and hoping it might possibly be put on a passenger plane.

At least, that’s the theory. But theory and practice are different.

The British system involves “known shippers”:

Under a system called “known shipper” or “known consignor” companies which have been security vetted by government appointed agents can send parcels by air, which do not have to be subjected to any further security checks.

Unless a package from a known shipper arouses suspicion or is subject to a random search it is taken on trust that its contents are safe.

But:

Captain Gary Boettcher, president of the US Coalition Of Airline Pilots Associations, says the “known shipper” system “is probably the weakest part of the cargo security today”.

“There are approx 1.5 million known shippers in the US. There are thousands of freight forwarders. Anywhere down the line packages can be intercepted at these organisations,” he said.

“Even reliable respectable organisations, you really don’t know who is in the warehouse, who is tampering with packages, putting parcels together.”

This system has already been exploited by drug smugglers:

Mr Adeyemi brought pounds of cocaine into Britain unchecked by air cargo, transported from the US by the Federal Express courier company. He did not have to pay the postage.

This was made possible because he managed to illegally buy the confidential Fed Ex account numbers of reputable and security cleared companies from a former employee.

An accomplice in the US was able to put the account numbers on drugs parcels which, as they appeared to have been sent by known shippers, arrived unchecked at Stansted Airport.

When police later contacted the companies whose accounts and security clearance had been so abused they discovered they had suspected nothing.

And it’s not clear that a terrorist can’t figure out which shipments are likely to be put on passenger aircraft:

However several large companies such as FedEx and UPS offer clients the chance to follow the progress of their parcels online.

This is a facility that Chris Yates, an expert on airline security for Jane’s Transport, says could be exploited by terrorists.

“From these you can get a fair indication when that package is in the air, if you are looking to get a package into New York from Heathrow at a given time of day.

And BBC reports that 70% of cargo is shipped on passenger planes. That seems like too high a number.

If we had infinite budget, of course we’d screen all air cargo. But we don’t, and it’s a reasonable trade-off to ignore cargo planes and concentrate on passenger planes. But there are some awfully big holes in this system.

Posted on October 24, 2006 at 6:11 AMView Comments

Scorecard from the War on Terror

This is absolutely essential reading for anyone interested in how the U.S. is prosecuting terrorism. Put aside the rhetoric and the posturing; this is what is actually happening.

Among the key findings about the year-by-year enforcement trends in the period were the following:

  • In the twelve months immediately after 9/11, the prosecution of individuals the government classified as international terrorists surged sharply higher than in the previous year. But timely data show that five years later, in the latest available period, the total number of these prosecutions has returned to roughly what they were just before the attacks. Given the widely accepted belief that the threat of terrorism in all parts of the world is much larger today than it was six or seven years ago, the extent of the recent decline in prosecutions is unexpected. See Figure 1 and supporting table.
  • Federal prosecutors by law and custom are authorized to decline cases that are brought to them for prosecution by the investigative agencies. And over the years the prosecutors have used this power to weed out matters that for one reason or another they felt should be dropped. For international terrorism the declination rate has been high, especially in recent years. In fact, timely data show that in the first eight months of FY 2006 the assistant U.S. Attorneys rejected slightly more than nine out of ten of the referrals. Given the assumption that the investigation of international terrorism must be the single most important target area for the FBI and other agencies, the turn-down rate is hard to understand. See Figure 2 and supporting table.
  • The typical sentences recently imposed on individuals considered to be international terrorists are not impressive. For all those convicted as a result of cases initiated in the two years after 9//11, for example, the median sentence—half got more and half got less—was 28 days. For those referrals that came in more recently—through May 31, 2006—the median sentence was 20 days. For cases started in the two year period before the 9/11 attack, the typical sentence was much longer, 41 months. See Figure 3.

Transactional Records Access Clearinghouse (TRAC) puts this data together by looking at Justice Department records. The data research organization is connected to Syracuse University, and has been doing this sort of thing—tracking what federal agencies actually do rather than what they say they do—for over fifteen years.

I am particularly entertained by the Justice Department’s rebuttal, which basically just calls the study names without offering any substantive criticism:

The Justice Department took issue with the study’s methodology and its conclusions.

The study “ignores the reality of how the war on terrorism is prosecuted in federal courts across the country and the value of early disruption of potential terrorist acts by proactive prosecution,” said Bryan Sierra, a Justice Department spokesman.

“The report presents misleading analysis of Department of Justice statistics to suggest the threat of terrorism may be inaccurate or exaggerated. The Department of Justice disagrees with this suggestion.”

How do I explain it? Most “terrorism” arrests are not for actual terrorism; they’re for other things. The cases are either thrown out for lack of evidence, or the penalties are more in line with the actual crimes. I don’t care what anyone from the Justice Department says: someone who is jailed for four weeks did not commit a terrorist act.

Posted on September 5, 2006 at 6:04 AMView Comments

1 52 53 54 55 56 59

Sidebar photo of Bruce Schneier by Joe MacInnis.