Reg comments90

Official: America auto-scanned visitors' social media profiles. Also: It didn't work properly

DHS report shows the limits of bonkers budget-busting plan

License, registration... and, er, Facebook, please. Photo by Shutterstock
License, registration... Facebook

The US Department of Homeland Security used software to scan social media accounts of people visiting America, but it didn't work properly.

That's the conclusion of a study by the department's inspector general. In a heavily redacted report [PDF] that surfaced this week, the watchdog revealed that in December 2015, US Citizenship and Immigration Services ran a pilot program to check social media streams both manually and automatically for any signs of wrongdoing.

The tests were repeated in April and August 2016 using different software tools to rifle through online profiles for troublemakers. The exact software programs used were not named.

"In reviewing the pilot, USCIS concluded that the tool was not a viable option for automated social media screening and that manual review was more effective at identifying accounts," the report states.

"USCIS based its conclusion on the tool's low 'match confidence.' Because the resulting accounts identified by the tool did not always match up with the applicants, officers had to manually check the results. However, USCIS did not establish match benchmarks for the tool, so it does not know what level of match confidence would signify success or failure."

That poses a significant problem for the DHS – one that's common to many mass data-slurping programs. If fleshy humans are the only way to check the information, they are going to be facing an enormous volume of data and may either miss key clues or draw the wrong conclusions.

Nevertheless, the DHS isn't giving up on the scheme yet. It has identified 275 software tools that could be used in the scanning, and it restarted the testing program in January 2017, presumably working on the principle that there's no problem that can't be overcome if you throw enough money at it.

And what a lot of money. The DHS has already said it will cost around $300m just to collect the social media data they want. The costs of actually going through it all are bound to be much higher if they want to properly check if a terrorist trying to come to the US has announced his or her plans online.

The DHS Office of Intelligence and Analysis (I&A) acknowledged the report's conclusions and said it would now add metrics for determining if they are successful or not. It also said that at the moment, neither the government nor the private sector "possessed the capabilities for large-scale social media screening."

"DHS has taken steps to improve its social media screening pilots by implementing a four-pronged approach that measures performance, to develop consistent benchmarks and continue improving performance to ensure rigor and scalability for long-term success," I&A said.

"This approach includes using qualitative and quantitative criteria for measuring tool performance; collecting and analyzing comprehensive performance metrics of ongoing research and development pilots; reporting project milestones to the task force; and reporting select metrics measuring pilot performance in a weekly task force agenda."

All this does rather throw a spanner in the works for the social media scanning idea politicians are itching for. Under President Obama, the government considered asking people to voluntarily submit social media profiles, but since the election of President Trump the scheme may become mandatory and more invasive.

The new boss of the US Department of Homeland Security, John Kelly, has said that such checks should be mandatory and travelers should also be forced to provide passwords and banking records. This may take weeks or months, he said, but people will just have to wait before visiting this shining city on the hill.

On Friday a consortium of civil liberties groups, including the ACLU and Reporters without Borders, sent Kelly an open letter decrying the plans to demand this sort of data. They point out that if the US introduces such a policy, other countries will follow suit, which will put American data at risk.

"We urge you to reject any proposal to require anyone to provide log-in information to their online accounts as a condition of entry into the United States," it reads. "Demanding log-in information is a direct assault on fundamental rights and would weaken, rather than promote, national security."

If you are concerned about data security, The Reg has compiled this handy guide for those wishing to visit the Home of the Brave. Good luck. ®


Biting the hand that feeds IT © 1998–2017