Entries Tagged "watch lists"

Page 3 of 6

Ordinary People Being Labeled as Terrorists

By law, every business has to check their customers against a list of “specially designated nationals,” and not do business with anyone on that list.

Of course, the list is riddled with bad names and many innocents get caught up in the net. And many businesses decide that it’s easier to turn away potential customers with whose name is on the list, creating — well — a shunned class:

Tom Kubbany is neither a terrorist nor a drug trafficker, has average credit and has owned homes in the past, so the Northern California mental-health worker was baffled when his mortgage broker said lenders were not interested in him. Reviewing his loan file, he discovered something shocking. At the top of his credit report was an OFAC alert provided by credit bureau TransUnion that showed that his middle name, Hassan, is an alias for Ali Saddam Hussein, purportedly a “son of Saddam Hussein.”

The record is not clear on whether Ali Saddam Hussein was a Hussein offspring, but the OFAC list stated he was born in 1980 or 1983. Kubbany was born in Detroit in 1949.

Under OFAC guidance, the date discrepancy signals a false match. Still, Kubbany said, the broker decided not to proceed. “She just talked with a bunch of lenders over the phone and they said, ‘No,’ ” he said. “So we said, ‘The heck with it. We’ll just go somewhere else.’ ”

Kubbany and his wife are applying for another loan, though he worries that the stigma lingers. “There’s a dark cloud over us,” he said. “We will never know if we had qualified for the mortgage last summer, then we might have been in a house now.”

Saad Ali Muhammad is an African American who was born in Chicago and converted to Islam in 1980. When he tried to buy a used car from a Chevrolet dealership three years ago, a salesman ran his credit report and at the top saw a reference to “OFAC search,” followed by the names of terrorists including Osama bin Laden. The only apparent connection was the name Muhammad. The credit report, also by TransUnion, did not explain what OFAC was or what the credit report user should do with the information. Muhammad wrote to TransUnion and filed a complaint with a state human rights agency, but the alert remains on his report, Sinnar said.

Colleen Tunney-Ryan, a TransUnion spokeswoman, said in an e-mail that clients using the firm’s credit reports are solely responsible for any action required by federal law as a result of a potential match and that they must agree they will not take any adverse action against a consumer based solely on the report.

The lawyers’ committee documented other cases, including that of a couple in Phoenix who were about to close on their first home, only to be told the sale could not proceed because the husband’s first and last names — common Hispanic names — matched an entry on the OFAC list. The entry did not include a date or place of birth, which could have helped distinguish the individuals.

In another case, a Roseville, Calif., couple wanted to buy a treadmill from a home fitness store on a financing plan. A bank representative told the salesperson that because the husband’s first name was Hussein, the couple would have to wait 72 hours while they were investigated. Though the couple eventually received the treadmill, they were so embarrassed by the incident they did not want their names in the report, Sinnar said.

This is the same problem as the no-fly list, only in a larger context. And it’s no way to combat terrorism. Thankfully, many businesses don’t know to check this list and people whose names are similar to suspected terrorists’ can still lead mostly normal lives. But the trend here is not good.

Posted on April 10, 2007 at 6:23 AMView Comments

The U.S. Terrorist Database

Interesting article about the terrorist database: Terrorist Identities Datamart Environment (TIDE).

It’s huge:

Ballooning from fewer than 100,000 files in 2003 to about 435,000, the growing database threatens to overwhelm the people who manage it. “The single biggest worry that I have is long-term quality control,” said Russ Travers, in charge of TIDE at the National Counterterrorism Center in McLean. “Where am I going to be, where is my successor going to be, five years down the road?”

TIDE has also created concerns about secrecy, errors and privacy. The list marks the first time foreigners and U.S. citizens are combined in an intelligence database. The bar for inclusion is low, and once someone is on the list, it is virtually impossible to get off it. At any stage, the process can lead to “horror stories” of mixed-up names and unconfirmed information, Travers acknowledged.

Mostly the article tells you things you already know: the list is riddled with errors, and there’s no defined process for getting on or off the list. But the most surreal quote is at the end, from Rick Kopel, the center’s acting director:

The center came in for ridicule last year when CBS’s “60 Minutes” noted that 14 of the 19 Sept. 11 hijackers were listed — five years after their deaths. Kopel defended the listings, saying that “we know for a fact that these people will use names that they believe we are not going to list because they’re out of circulation — either because they’re dead or incarcerated. . . . It’s not willy-nilly. Every name on the list, there’s a reason that it’s on there.”

Get that? There’s someone who deliberately puts wrong names on the list because they think the terrorists might use aliases, and they want to catch them. Given that reasoning, wouldn’t you want to put the entire phone book on the list?

Posted on March 26, 2007 at 2:05 PMView Comments

Money Laundering Inside the U.S.

With all the attention on foreign money laundering, we’re ignoring the problem in our own country.

How widespread is the problem? No one really knows for sure because the states “have no idea who is behind the companies they have incorporated,” says Senator Carl Levin (D–Mich.), who is trying to force the states to insist on greater transparency. “The United States should never be the situs of choice for international crime, but that is exactly what the lax regulatory regimes in some of our states are inviting.” The Financial Crimes Enforcement Network, the U.S. Treasury bureau investigating money laundering, says roughly $14 billion worth of suspicious transactions involving private U.S. shells and overseas bank accounts came in from banks from 2004 to 2005, the latest Treasury data available. That’s up from $4 billion for the long stretch between April 1996 and January 2004. Now, estimates the FBI, anonymously held U.S. shell companies have laundered $36 billion to date just from the former Soviet Union.

State governments provide plenty of cover for bad guys. Every year they incorporate 1.9 million or so private companies, but no state verifies or records the identities of owners, much less screens ownership information against criminal watch lists, according to a study by the Government Accountability Office. “You have to supply more information to get a driver’s license than you do to form one of these nonpublicly traded corporations,” says Senator Levin.

Posted on February 28, 2007 at 7:59 AMView Comments

Secure Flight Privacy Report

The Department of Homeland Security’s own Privacy Office released a report on privacy issues with Secure Flight, the new airline passenger matching program. It’s not good, which is why the government tried to bury it by releasing it to the public the Friday before Christmas. And that’s why I’m waiting until after New Year’s Day before posting this.

Secure Flight Report: DHS Privacy Office Report to the Public on the Transportation Security Administration’s Secure Flight Program and Privacy Recommendations“:

Summary:

The Department of Homeland Security (DHS) Privacy Office conducted a review of the Transportation Security Administration’s (TSA) collection and use of commercial data during initial testing for the Secure Flight program that occurred in the fall 2004 through spring 2005. The Privacy Office review was undertaken following notice by the TSA Privacy Officer of preliminary concerns raised by the Government Accountability Office (GAO) that, contrary to published privacy notices and public statements, TSA may have accessed and stored personally identifying data from commercial sources as part of its efforts to fashion a passenger prescreening program.

These new concerns followed much earlier public complaints that TSA collected passenger name record data from airlines to test the developmental passenger prescreening program without giving adequate notice to the public. Thus, the Privacy Office’s review of the Secure Flight commercial data testing also sought to determine whether the data collection from air carriers and commercial data brokers about U.S. persons was consistent with published privacy documents.

The Privacy Office appreciates the cooperation in this review by TSA management, staff, and contractors involved in the commercial data testing. The Privacy Office wishes to recognize that, with the best intentions, TSA undertook considerable efforts to address information privacy and security in the development of the Secure Flight Program. Notwithstanding these efforts, we are concerned that shortcomings identified in this report reflect what appear to be largely unintentional, yet significant privacy missteps that merit the careful attention and privacy leadership that TSA Administrator Kip Hawley is giving to the development of the Secure Flight program and, in support of which, the DHS Acting Chief Privacy Officer has committed to provide Privacy Office staff resources and privacy guidance.

I’ve written about Secure Flight many times. I suppose this is a good summary post. This is a post about the Secure Flight Privacy/IT Working Group, which I was a member of, and its final report. That link also includes links to my other posts on the program.

Posted on January 2, 2007 at 7:24 AMView Comments

American Authorities Secretly Give International Travellers Terrorist "Risk" Score

From the Associated Press:

Without notifying the public, federal agents for the past four years have assigned millions of international travelers, including Americans, computer-generated scores rating the risk they pose of being terrorists or criminals.

The travelers are not allowed to see or directly challenge these risk assessments, which the government intends to keep on file for 40 years.

The scores are assigned to people entering and leaving the United States after computers assess their travel records, including where they are from, how they paid for tickets, their motor vehicle records, past one-way travel, seating preference and what kind of meal they ordered.

The program’s existence was quietly disclosed earlier in November when the government put an announcement detailing the Automated Targeting System, or ATS, for the first time in the Federal Register, a fine-print compendium of federal rules. Privacy and civil liberties lawyers, congressional aides and even law enforcement officers said they thought this system had been applied only to cargo.

Like all these systems, we are all judged in secret, by a computer algorithm, with no way to see or even challenge our score. Kafka would be proud.

“If this catches one potential terrorist, this is a success,” Ahern said.

That’s just too idiotic a statement to even rebut.

EDITED TO ADD (12/3): More commentary.

Posted on December 1, 2006 at 12:12 PMView Comments

Global Envelope

The DHS wants to share terrorist biometric information:

Robert Mocny, acting director of the U.S. Visitor and Immigrant Status Indicator Technology program, outlined a proposal under which the United States would begin exchanging information about terrorists first with closely allied governments in Britain, Europe and Japan ,and then progressively extend the program to other countries as a means of foiling terrorist attacks.

The Global Envelope proposal apparently opened the door to the exchange of biometric information about persons in this country to other governments and vice versa, in an environment where even officials’ pledges to observe privacy principles collide with inconsistent or absent legal protections.

In remarks to the International Conference on Biometrics and Ethics in Washington this afternoon, Mocny repeatedly stressed DHS’ commitment to observing privacy principles during the design and implementation of its biometric systems. “We have a responsibility to use this information wisely and responsibly,” he said.

Mocny cited the need to avoid duplication of effort by developing technical standards that all national biometric identification systems would use.

He emphasized repeatedly that information sharing is appropriate around the world on biometric methods of identifying terrorists who pose a risk to the public. Noting that his organization already receives information about terrorist threats from around the globe, Mocny said, “We have a responsibility to make a Global Security Envelope [that would coordinate information policies and technical standards.]”

Mocny conceded that each of the 10 privacy laws currently in effect in the United States has an exemption clause for national-security purposes. He added that the department only resorts to its essentially unlimited authority under those clauses when officials decide that there are compelling reasons to do so.

Anyone think that this will be any better than the no-fly list?

Posted on November 30, 2006 at 12:51 PMView Comments

New U.S. Customs Database on Trucks and Travellers

It’s yet another massive government surveillance program:

US Customs and Border Protection issued a notice in the Federal Register yesterday which detailed the agency’s massive database that keeps risk assessments on every traveler entering or leaving the country. Citizens who are concerned that their information is inaccurate are all but out of luck: the system “may not be accessed under the Privacy Act for the purpose of contesting the content of the record.”

The system in question is the Automated Targeting System, which is associated with the previously-existing Treasury Enforcement Communications System. TECS was built to screen people and assets that moved in and out of the US, and its database contains more than one billion records that are accessible by more than 30,000 users at 1,800 sites around the country. Customs has adapted parts of the TECS system to its own use and now plans to screen all passengers, inbound and outbound cargo, and ships.

The system creates a risk assessment for each person or item in the database. The assessment is generated from information gleaned from federal and commercial databases, provided by people themselves as they cross the border, and the Passenger Name Record information recorded by airlines. This risk assessment will be maintained for up to 40 years and can be pulled up by agents at a moment’s notice in order to evaluate potential threats against the US.

If you leave the country, the government will suddenly know a lot about you. The Passenger Name Record alone contains names, addresses, telephone numbers, itineraries, frequent-flier information, e-mail addresses — even the name of your travel agent. And this information can be shared with plenty of people:

  • Federal, state, local, tribal, or foreign governments
  • A court, magistrate, or administrative tribunal
  • Third parties during the course of a law enforcement investigation
  • Congressional office in response to an inquiry
  • Contractors, grantees, experts, consultants, students, and others performing or working on a contract, service, or grant
  • Any organization or person who might be a target of terrorist activity or conspiracy
  • The United States Department of Justice
  • The National Archives and Records Administration
  • Federal or foreign government intelligence or counterterrorism agencies
  • Agencies or people when it appears that the security or confidentiality of their information has been compromised.

That’s a lot of people who could be looking at your information and your government-designed risk assessment. The one person who won’t be looking at that information is you. The entire system is exempt from inspection and correction under provision 552a (j)(2) and (k)(2) of US Code Title 5, which allows such exemptions when the data in question involves law enforcement or intelligence information.

This means you can’t review your data for accuracy, and you can’t correct any errors.

But the system can be used to give you a risk assessment score, which presumably will affect how you’re treated when you return to the U.S.

I’ve already explained why data mining does not find terrorists or terrorist plots. So have actual math professors. And we’ve seen this kind of “risk assessment score” idea and the problems it causes with Secure Flight.

This needs some mainstream press attention.

EDITED TO ADD (11/4): More commentary here, here, and here.

EDITED TO ADD (11/5): It’s buried in the back pages, but at least The Washington Post wrote about it.

Posted on November 4, 2006 at 9:19 AMView Comments

Review of U.S. Customs and Border Protection Anti-Terrorist Actions

Department of Homeland Security, Office of the Inspector General, “Review of CBP Actions Taken to Intercept Suspected Terrorists at U.S. Ports of Entry,” OIG-06-43, June 2006.

Results in Brief:

CBP has improved information sharing capabilities within the organization to smooth the flow of arriving passengers and increase the effectiveness of limited resources at POEs. Earlier, officers at POEs possessed limited information to help them resolve the identities of individuals mistakenly matched to the terrorist watch list, but a current initiative aims to provide supervisors at POEs with much more information to help them positively identify and clear individuals with names similar to those in the terrorist database. CBP procedures are highly prescriptive and withhold from supervisors the authority to make timely and informed decisions regarding the admissibility of individuals who they could quickly confirm are not the suspected terrorist.

As CBP has stepped up its efforts to intercept known and suspected terrorists at ports of entry, traditional missions such as narcotics interdiction and identification of fraudulent immigration documentation have been adversely affected. Recent data indicates a significant decrease over the past few years in the interception of narcotics and the identification of fraudulent immigration documents, especially at airports.

When a watchlisted or targeted individual is encountered at a POE, CBP generates several reports summarizing the incident. Each of these reports provides a different level of detail, and is distributed to a different readership. It is unclear, however, how details of the encounter and the information obtained from the suspected terrorist are disseminated for analysis. This inconsistent reporting is preventing DHS from developing independent intelligence assessments and may be preventing important information from inclusion in national strategic intelligence analyses.

During an encounter with a watchlisted individual, CBP officers at the POE often need to discuss sensitive details about the individual with law enforcement agencies and CBP personnel in headquarters offices. Some case details are classified. Because some CBP officers at POEs have not been granted the necessary security clearance, they are unable to review important information about a watchlisted individual and may not be able to participate with law enforcement agencies in interviews of certain individuals.

To improve the effectiveness of CBP personnel in their mission to prevent known and suspected terrorists from entering the United States, we are recommending that CBP: expand a biometric information collection program to include volunteers who would not normally provide this information when entering the United States; authorize POE supervisors limited discretion to make more timely admissibility determinations; review port of entry staffing models to ensure the current workforce is able to perform the entire range of CBP mission; establish a policy for more consistent reporting to intelligence agencies the details gathered during secondary interviews; and ensure all counterterrorism personnel at POEs are granted an appropriate security clearance.

Posted on August 15, 2006 at 1:19 PMView Comments

Sky Marshals Name Innocents to Meet Quota

One news source is reporting that sky marshals are reporting on innocent people in order to meet a quota:

The air marshals, whose identities are being concealed, told 7NEWS that they’re required to submit at least one report a month. If they don’t, there’s no raise, no bonus, no awards and no special assignments.

“Innocent passengers are being entered into an international intelligence database as suspicious persons, acting in a suspicious manner on an aircraft … and they did nothing wrong,” said one federal air marshal.

[…]

These unknowing passengers who are doing nothing wrong are landing in a secret government document called a Surveillance Detection Report, or SDR. Air marshals told 7NEWS that managers in Las Vegas created and continue to maintain this potentially dangerous quota system.

“Do these reports have real life impacts on the people who are identified as potential terrorists?” 7NEWS Investigator Tony Kovaleski asked.

“Absolutely,” a federal air marshal replied.

[…]

What kind of impact would it have for a flying individual to be named in an SDR?

“That could have serious impact … They could be placed on a watch list. They could wind up on databases that identify them as potential terrorists or a threat to an aircraft. It could be very serious,” said Don Strange, a former agent in charge of air marshals in Atlanta. He lost his job attempting to change policies inside the agency.

This is so insane, it can’t possibly be true. But I have been stunned before by the stupidity of the Department of Homeland Security.

EDITED TO ADD (7/27): This is what Brock Meeks said on David Farber’s IP mailing list:

Well, it so happens that I was the one that BROKE this story… way back in 2004. There were at least two offices, Miami and Las Vegas that had this quota system for writing up and filing “SDRs.”

The requirement was totally renegade and NOT endorsed by Air Marshal officials in Washington. The Las Vegas Air Marshal field office was (I think he’s retired now) by a real cowboy at the time, someone that caused a lot of problems for the Washington HQ staff. (That official once grilled an Air Marshal for three hours in an interrogation room because he thought the air marshal was source of mine on another story. The air marshal was then taken off flight status and made to wash the office cars for two weeks… I broke that story, too. And no, the punished air marshal was never a source of mine.)

Air marshals told they were filing false reports, as they did below, just to hit the quota.

When my story hit, those in the offices of Las Vegas and Miami were reprimanded and the practice was ordered stopped by Washington HQ.

I suppose the biggest question I have for this story is the HYPE of what happens to these reports. They do NOT place the person mention on a “watch list.” These reports, filed on Palm Pilot PDAs, go into an internal Air Marshal database that is rarely seen and pretty much ignored by other intelligence agencies, from all sources I talked to.

Why? Because the air marshals are seen as little more than “sky cops” and these SDRs considered little more than “field interviews” that cops sometimes file when they question someone loitering at a 7-11 too late at night.

The quota system, if it is still going on, is heinous, but it hardly results in the big spooky data collection scare that this cheapjack Denver “investigative” TV reporter makes it out to be.

The quoted former field official from Atlanta, Don Strange, did, in fact, lose his job over trying to chance internal policies. He was the most well-liked official among the rank and file and the Atlanta office, under his command, had the highest morale in the nation.

Posted on July 25, 2006 at 9:55 AMView Comments

Privacy-Enhanced Data Mining

There are a variety of encryption technologies that allow you to analyze data without knowing details of the data:

Largely by employing the head-spinning principles of cryptography, the researchers say they can ensure that law enforcement, intelligence agencies and private companies can sift through huge databases without seeing names and identifying details in the records.

For example, manifests of airplane passengers could be compared with terrorist watch lists — without airline staff or government agents seeing the actual names on the other side’s list. Only if a match were made would a computer alert each side to uncloak the record and probe further.

“If it’s possible to anonymize data and produce … the same results as clear text, why not?” John Bliss, a privacy lawyer in IBM’s “entity analytics” unit, told a recent workshop on the subject at Harvard University.

This is nothing new. I’ve seen papers on this sort of stuff since the late 1980s. The problem is that no one in law enforcement has any incentive to use them. Privacy is rarely a technological problem; it’s far more often a social or economic problem.

Posted on June 20, 2006 at 6:26 AMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.