Revelations about a spooky-sounding program called TrapWire caused a ruckus on the Internet last month. Here’s what we know, what we don’t and why it matters.
Kade CrockfordIn early August, WikiLeaks released another cluster of the 5 million e-mails it obtained in late 2011 from Stratfor, a private intelligence agency Barron’s has called “The Shadow CIA.” The first batch had been made public early this year, revealing, in the Guardian’s words, “not simply the military-industrial complex that conspires to spy on citizens, activists and trouble-causers, but the extremely low quality of the information available to the highest bidder.” Among the most intriguing items disclosed in the latest document dump was the existence of a spooky-sounding company called TrapWire, sparking an online uproar among surveillance researchers and transparency advocates. The e-mails describe TrapWire as a surveillance system so advanced, so networked and intelligent, that it can sniff out threats to critical infrastructure before they materialize—a ‘pre-crime’ detection technology. Surveillance watchers rang the alarm: TrapWire, they warned, is the constellation of our greatest fears.
Undermining the excitement were other e-mails, showing that Stratfor had struck a deal to aggressively promote TrapWire to its intelligence, military and law enforcement clients, in exchange for an 8 percent cut of any resulting sales. This arrangement appeared to pay off, particularly in Texas. In one e-mail, Fred Burton, vice president for intelligence, boasted that he “wrote the plans for eventual TrapWire roll-out Statewide, in addition to the Texas State Capital.” In another, he speculated on the profits his company might reap in the event of a terrorist attack in Texas. “Positive developments continue with TrapWire in light of the Texas State Capital shooting,” he wrote, referring to an incident in 2010 that had prompted the state to increase security. “…We should see the system roll out fairly soon.” Perhaps most disturbingly, one company employee implored Burton to deploy TrapWire against activists in San Francisco: “Regarding SF landmarks of interest—they need something like Trapwire more for threats from activists than from terror threats. Both are useful, but the activists are ever present around here,” she wrote.
A central, oft-cited claim put forth to buttress the worst-case scenario pronouncements about TrapWire comes from an interview with the founder of the company that produced it, who said the technology is “more accurate than facial recognition.” A storm of speculation followed the discovery of this statement, one unproven allegation among many that would fill a series of articles resting on the claims of other private intelligence executives with a financial incentive to cast their product as all-powerful. Headlines included: “Wikileaks: Americans Being Monitored By Top Secret Surveillance System ‘TrapWire,’” “TrapWire tied to White House, Scotland Yard, M15 and others,” and “WIKILEAKS: Surveillance Cameras Around The Country Are Being Used In Huge Spy Network.” Reports warned that the system had been “installed…across the U.S. under the radar of most Americans.”
Adding to the intrigue, information on the TrapWire, Inc. website began mysteriously disappearing, including the page listing the names and biographies of top executives at the firm. This followed a strange press release from Cubic Corporation, a defense, intelligence and transportation services firm that bought TrapWire’s parent company in 2010, announcing: “Cubic Corporation Has No Affiliation with TrapWire, Inc.” (A true statement, although the company retained the trademarks for a number of products related to the sale until June 2011, including TrapWire.) What did the company have to hide? And why would a billion-dollar company move so quickly to distance itself from TrapWire?
We don’t have answers yet. But those are also not the most important questions. TrapWire certainly merits further attention and investigation—but not because it is so exceptional or unique in and of itself. TrapWire is symptomatic of an alarming transformation we have witnessed over the past ten years when it comes to Americans’ privacy versus government power. In a democracy, we should know nearly everything about the government and its operations—we, after all, pay for them—and the government should know very little about us, unless it has good reason to suspect we are engaged in criminal activity. But the past decade has seen a perilous inversion of this relationship. State secrecy is now the name of the game, from the White House all the way down to local governments, which have been quietly accepting federal funding for a variety of invasive surveillance and identification tools without so much as a basic public conversation on the associated benefits and risks. Most Americans have little idea of the extent to which their everyday, ordinary activities are pervasively monitored by government agencies and private spying outfits like TrapWire.
* * *
TrapWire is the brainchild of Abraxas Applications, Inc, a subsidiary of the Abraxas Corporation. Founded shortly after September 11 by CIA veteran Richard “Hollis” Helms, the Abraxas Corporation was the first private intelligence firm to take advantage of the post-9/11 chaos and navel-gazing in the intelligence community—and Congress’ promises of limitless funds—to correct “what went wrong.” As one CIA official told the Washington Post last year: “Hollis is brilliant; he realized there was a huge market out there to exploit…. He was the first agency guy to figure it all out.” As Tim Shorrock writes in his indispensable book, Spies for Hire, Helms “became…notorious for recruiting new employees in the CIA cafeteria,” and was asked to please stop. By 2008, the company was worth $65 million and had a couple hundred former spooks on the payroll, according to Shorrock.
Among Helms’ first hires was Barry McManus, who served as the CIA’s chief polygraph examiner for ten years and became Abraxas’ vice president of “Deception Detection Services”—a dubious but lucrative product marketed to law enforcement and corporate managers who paid to be trained in spotting dishonesty during interrogations and interviews. (The same 2011 Washington Post story reported that one of McManus’s first purchases upon leaving the agency for Abraxas was a $160,000 black Maserati.) Another notable hire was Richard Calder, a former deputy director of administration at the CIA, who presided over a wave of outsourcing and downsizing at the agency in the late 1990s. This trend, and the redirection of resources away from human intelligence field officers and towards desk-bound “intelligence analysts,” would lead one long-time CIA operative, Robert Baer, to leave the agency and write a number of books blasting it as inefficient, bureaucracy-laden and corrupted by political and monied interests. “Like the rest of Washington, the CIA had fallen in love with technology,” Baer writes in See No Evil: The True Story of a Ground Soldier in the CIA’s War on Terrorism, describing how the agency failed to protect the nation from the 9/11 attackers. “The theory was that satellites, the Internet, electronic intercepts, even academic publications would tell us all we needed to know about what went on beyond our borders.”
But instead of heeding Baer’s call for more human intelligence and better training for field operatives after 9/11, the CIA and the intelligence community doubled down on outsourcing and technology. Enter Abraxas—along with Booz Allen, Lockheed Martin, SAIC, and innumerable other private corporations, which together constitute a shadowy world of unaccountable and fabulously rich intelligence contractors. Today, nearly 5 million people in the United States have a security clearance, many of whom are contractors working for the 1,900 or so private intelligence corporations that collectively rake in billions of dollars of taxpayer money every year. TrapWire is just one product in a sea of unaccountable, secretive, private intelligence corporations.
So why the uproar?
TrapWire comprises three products that are marketed to law enforcement, financial services corporations, the armed forces and intelligence agencies. Its website lists them: TrapWire Critical Infrastructure, TrapWire Community Member and TrapWire Law Enforcement.
TrapWire’s Critical Infrastructure program uses existing surveillance cameras and license plate readers at military installations, corporate complexes and other “high-value targets” to spot security weaknesses, providing clients with “threat assessments” and advising them on how best to plug any gaps in monitoring coverage.
TrapWire Community, according to the website, “supports the online reporting of suspicious behavior by community members, such as the iWatch programs in Los Angeles and Washington, DC, and See Something Say Something in Las Vegas and New York.”
The TrapWire Law Enforcement program is the product we know the least about. The firm says it “provides the ability to gather, analyze and disseminate information about surveillance and logistical activities occurring across an entire geographic region,” including areas covered by the first two parts of the program. Data from the Critical Infrastructure and Community programs feed a central TrapWire database, which is searched for “pre-operational” terrorism indicators and then fed into the Law Enforcement database. “The beauty of it is that we can protect an infinite number of facilities just as efficiently as we can one,” Abraxas founder Richard Helms has said of TrapWire.
But particularly given TrapWire’s reliance on “suspicious activity reports” culled from cities across the nation, there is reason to doubt these claims. A lot of the information in the system is probably junk—and likely racially motivated junk, at that. As one study by NPR and the Center for Investigative Reporting showed, suspicious activity reports hardly ever led to useful law enforcement information. More often than not, the study showed, the information is based on people’s fears of those they perceive to be Arab or Muslim.
Integrating such unreliable citizen-submitted reports with information from networked surveillance cameras and other, unknown data inputs, TrapWire ultimately comes down to data-mining: deploying computer algorithms to automatically sort through millions or billions of pieces of data to reveal a pattern or problem so that human beings can investigate. Data-mining is our information society’s answer to the problem posed by big data, and it some cases—like in finance and credit card fraud—it works remarkably well. The ubiquity of credit card fraud allows mathematicians to develop models based on many diverse examples. So if someone who typically charges under their credit limit over a couple of months suddenly maxes out a card in one day, the system will likely flag it as a possible theft. False-positive risks are low, and if a credit card company calls to say your card has been stolen and is wrong, no one is hurt. In fact, you’ll probably be happy to know the company is looking out for you. The company may then make an adjustment to its algorithm to make it more accurate in the future.
But when it comes to terrorism prediction, data-mining is an abject failure. Contrary to what the FBI will tell you, there is simply no ‘playbook’ for terrorist attacks. They are very rare, often unique events, executed by people from wildly different backgrounds, using wildly different approaches and tools. And the risks for false-positives are extremely serious, as any innocent detainee at Guantánamo Bay could tell you. Now that we know the CIA is killing people in Yemen and Somalia using so-called “signature strikes” that rely on pattern recognition to identify terrorists enclaves, the deployment of data-mining for terrorist identification should be taken very seriously. Here at home, you could end up on a no-fly list simply because you have unorthodox habits, or bought a one-way ticket a few too many times. The risks associated with this data-mining do not outweigh the costs, not least of which is the utterly devastating effect it has on our personal privacy, as even a 2008 report funded by the Department of Homeland Security concluded.
* * *
The most vexing gap in our knowledge about TrapWire is what kinds of data inputs and back-end technologies it uses. We know that, in addition to networked surveillance cameras and license plate readers, both public and private, the company draws information from giant data brokers like ChoicePoint—a company that sells dossiers on hundreds of millions of people, you and me included, to whoever is paying. But does TrapWire get data from the Department of Homeland Security’s databases too? Can the network access state motor vehicle registry databases, effectively downloading face recognition-ready “face prints” of every licensed driver in the United States? Does it have access to the FBI’s criminal or wiretap and electronic intercepts databases, which contain the private communications of tens of thousands of people under federal investigation?
The fact that we know very little about how TrapWire operates—even though most of the company’s clients are taxpayer-funded organizations—cuts to the heart of the problem of outsourcing intelligence. Since private corporations are not subject to public records law, there are limited avenues by which we might learn more about what the firm’s technology is really capable of. That, like many other thorny issues TrapWire raises, is a problem that applies to all intelligence contractors. As more secrets are farmed out to private corporations, the public loses twice: we pay more for the privilege of being surveilled, and we lose crucial access to the very transparency mechanisms that are supposed to keep the intelligence agencies in check and operating within the rule of law.
We don’t need to know every detail about government spying to know that we are on the wrong track. We are living in an era in which the federal government claims it doesn’t need a warrant to read our e-mail, in which the FBI admits to storing personal information on hundreds of millions of law-abiding Americans in giant databases, just in case. Headlines from past few months alone provide us with reason to be concerned about the state of electronic monitoring, quite apart from TrapWire: a Sixth Circuit court recently decided that we have no reasonable expectation of privacy when it comes to our cellphones, ruling that the government doesn’t need a warrant to track our real-time physical location. National Security Agency whistleblowers say the military spy organization is sucking up all available digital communications and financial information and storing them in massive databases, just in case. An appeals court recently decided that we have no legal basis for challenging this blatantly unconstitutional, “turnkey totalitarian state,” as NSA whistleblower Bill Binney put it. The NYPD has embarked on its own TrapWire of sorts, by teaming up with Microsoft to produce a “Domain Awareness System” that it boasts can monitor vast swaths of Manhattan with cameras, databases, license plate trackers and digital sensors. And in early September, hackers released information they say proves the FBI stored the unique user identification information of 12 million iPhone and iPad users, though the FBI denies it.
There appears to be nowhere to hide, TrapWire or no Trapwire.
To fix the problem, Congress must bring the Bill of Rights into the present, to begin to take back our Fourth Amendment rights against rampant digital surveillance. Congressman Ed Markey (D-MA) has circulated two draft bills—one on drones and one on cellphone privacy—that we should all support. One of them would simply require that police get a warrant to track us via our mobile phones. The other would impose basic transparency and privacy requirements on law enforcement agencies as they rush to populate our friendly skies with surveillance drones—and would ban the use of armed drones domestically. These are good first steps in what must become a mass movement for privacy in the digital age.
“We are entering a brave new world,” Congressman Markey said. “The time to implement privacy protections is now.”
Kade CrockfordTwitterKade Crockford is director of the Technology for Liberty project at the ACLU of Massachusetts where she edits and writes the Privacy Matters blog.