Drew Richardson, RIP

Drew Richardson speaking at Georgetown University
Drew Richardson speaking at Georgetown University in 2013 (Georgetown University Journal of Health Sciences photograph)

It is with deep sadness that we report that retired FBI scientist and supervisory special agent Dr. Drew C. Richardson, who has for many years been a friend and mentor to AntiPolygraph.org’s co-founders, was killed in a tragic accident at his home in Greenville, Virginia on Thursday, 21 July 2016. He was 65 years old.

Dr. Richardson, who spent his FBI career in the Bureau’s laboratory division, was also a polygraph expert and the Bureau’s most outspoken internal critic of polygraphy. In 1997, speaking before a subcommittee of the U.S. Senate Committee on the Judiciary, Dr. Richardson testified that “[polygraph screening] is completely without any theoretical foundation and has absolutely no validity” and that “anyone can be taught to beat this type of polygraph exam in a few minutes.”

In February 2001, after the arrest of FBI Robert P. Hanssen on espionage charges, Dr. Richardson sent a memorandum to then FBI Director Louis Free advising him that “there is NO evidence whatsoever that polygraph screening has any validity as a diagnostic tool” (original emphasis) and cautioning against any temptation to embrace polygraph screening. Director Free regrettably chose to ignore Dr. Richardson’s advice.

In October 2001, Dr. Richardson was an invited speaker at a public meeting of the National Academy of Sciences/National Research Council Committee to Review the Scientific Evidence on the Polygraph. The critique of polygraphy he provided then remains as pertinent today as it was fifteen years ago.

In 2002, Dr. Richardson issued his challenge to the polygraph community to prove their claimed ability to detect polygraph countermeasures. No polygraph operator ever exhibited the confidence to accept Dr. Richardson’s challenge.

We cherish Drew’s memory.

Among other pursuits, Dr. Richardson was an avid paraglider. We leave you with his most recent posting to his YouTube channel:

Update: A discussion thread has been started on the AntiPolygraph.org message board.

Developer’s Silence Raises Concern About Surespot Encrypted Messenger

surespot-youtubebannerIn June 2014, I suggested Surespot Encrypted Messenger to visitors to AntiPolygraph.org as a secure means of contacting me, and I’ve been including my Surespot address (georgemaschke) in my signature block on message board posts and e-mails, as well as on AntiPolygraph.org’s contact page. Now I’m not so sure about Surespot. I fear the developer may have received a secret demand to facilitate electronic eavesdropping on Surespot users, as did Ladar Levison, who operated the now defunct Lavabit e-mail service.

Surespot is a free, open source, easy-to-use app for Android and iOS that allows users to exchange encrypted messages using public key cryptography. The source code is available on GitHub. Surespot is provided by 2fours, a small company run by Cherie Berdovich and Adam Patacchiola of Boulder, Colorado.

The Electronic Frontier Foundation’s Secure Messaging Scorecard gives Surespot relatively high marks:

EFF Secure Messaging Scorecard - Surespot

Before recommending Surespot, being cognizant of the Lavabit saga, I e-mailed Berdovich and Patacchiola to ask about any governmental demands for information, sending the following questions on 31 May 2014:

1 – Have you ever received a National Security Letter?

2 – Have you ever received a court order for information?

3 – Have you ever received any other request to cooperate with a government agency?

Berdovich replied that the “[a]nswer to all three questions is no.” Because Surespot’s website doesn’t include a warrant canary, I wrote again on 12 Novembember 2014 asking the same three questions. Patacchiola, who programmed Surespot, replied the same day: “1 and 2, still no, 3 we have received an email asking us how to submit a subpoena to us which we haven’t received yet.”

The following day, I asked Patacchiola if he could say what agency or organization is seeking details on how to submit a subpoena. He did not reply.

In April 2015, I sent Patacchiola a similar set of questions but received no reply. I wrote again on 25 May 2015, asking:

1. Has 2fours received any governmental demand for information about any of its users?

2. Has 2fours received any governmental demand to modify the surespot client software?

3. Has 2fours received any governmental demand to modify the surespot server software?

4. Has 2fours received any other governmental demand to facilitate electronic eavesdropping of any kind?

If the answer to any of the above questions is yes, can you elaborate?

I have also attempted to contact Berdovich and Patacchiola via the Surespot app itself but have received no reply. While its possible that they’ve simply tired of being pestered by me about government demands for information, I don’t think that’s the case and suspect they are under a gag order.

Surespot is doubtless of interest to U.S. and British intelligence and law enforcement agencies because of its adoption by English-speaking supporters of the Islamic State. In February 2015, the U.K. Daily Mail reported that the Islamic State in Iraq and Syria (ISIS) was using Surespot to recruit British brides for jihadis:

Daily Mail - British jihadi brides groomed using messaging app

And on 26 May 2015, the U.K. 4 News ran a story heralding “Intel fears as jihadis flock to encrypted apps like Surespot”:

4 News - Intel fears as jihadis flock to encrypted appsWhile Islamic State supporters may use Surespot, so too do a diverse group of people, including individuals who wish to contact AntiPolygraph.org privately. The Google Play Store indicates that the Android version of Surespot has been installed 100,000-500,000 times. It would be inappropriate for any government agency to take action that would compromise the privacy of all users of a messaging service in the course of its effort to investigate one, or a few. But that is what happened to Lavabit, the privacy-focused e-mail service used by NSA whistleblower Edward Snowden. The government secretly ordered Lavabit’s proprietor, Ladar Levison, turn over his server’s secret key, and forbade him from telling anyone about it.1 I fear something similar may have happened to Surespot’s Adam Patacchiola.2

Update (12 June 2015): The day after this post went online, on 8 June 2015, the Surespot server (server.surespot.me) experienced an outage, two references to which are to be found on Surespot’s Facebook page. Two days thereafter, on 10 June 2015, the U.S. Department of Justice filed a Statement of Facts (PDF) in U.S. v. Ali Shukri Amin that mentions the use of Surespot by the defendant, a supporter of the Islamic State in Iraq and the Levant (ISIL):

11. In or about late November or early December 2014, the defendant put RN [Reza Nikbakht] in touch with an ISIL supporter located outside the United States via Surespot in order to facilitate RN’s travel to Syria to join and fight with ISIL.

18. On January 16, 2015, an overseas ISIL supporter communicated to the defendant via Surespot that the group of ISIL supporters, including RN, had successfully crossed over into Syria.

The Statement of Facts does not specify how the Department of Justice came to know these details. Under terms of the plea agreement (PDF), Amin “agrees to provide all documents, records, writings, or materials of any kind in [his] possession or under [his] care, custody, or control directly or indirectly to all areas of inquiry and investigation.”

In addition, Amin also agrees that, at the request of the United States, he “will voluntarily submit to polygraph examinations, and that the United States will choose the polygraph examiner and specify the procedures for the examinations.”

Update 2 (26 July 2015): In a Twitter post today, information security researcher “the Grugq” reports having received confirmation that Surespot has been compromised:

Update 3 (16 September 2015): In a blog post dated 14 September 2015–its first in more than a year–Surespot claims that it “has never been compromised,” that “the privacy of all communications on our system is secure,” and that it “is not being forced to shut down or build a back door for authorities to monitor user communications.” The post does not address whether any metadata associated with the Surespot message server has been provided to authorities. Such metadata includes user names, friend relationships, conversation relationships, message timestamps, and possibly, user IP addresses.

 

  1. Levison contested the secret order in court, but lost. He ultimately turned over his secret key after shutting down Lavabit entirely. He was threatened with arrest for closing his own business. []
  2. On 22 May 2015, the Daily Mail reported that Cherie Berdovich “left the [Surespot] organisation last summer.” []

Customs and Border Protection Internal Affairs Subject of Scathing DHS Privacy Report

James F. Tomsheck
James F. Tomsheck

AntiPolygraph.org has received a previously unpublished report of investigation (934 kb PDF) by the U.S. Department of Homeland Security Privacy Office into an information-sharing program operated by the U.S. Customs and Border Protection Office of Internal Affairs (CBP IA), headed by CBP Assistant Commissioner James F. Tomsheck.1

The report, by DHS Chief Privacy Officer Mary Ellen Callahan, is dated 18 July 2012 and documents gross violations of DHS privacy policy by Tomsheck in connection with a pilot program whereby CBP IA shared personal information on CBP employees with the FBI. The project “came to be known as the SAR Exploitation Initiative Pilot (SAREX Pilot or Pilot).”2

The ostensible purpose of this project was for CBP IA to “enhance CBP IA’s Background Investigation (BI)/Periodic Review (PR) process by leveraging the FBI’s supposed ability to conduct federated searches of law enforcement databases.” CBP IA provided personal information on over 3,000 employees to the FBI, but received, “informally,” from the FBI information on only 9 or 10 individuals.3

Callahan’s investigation “revealed a lack of oversight by CBP IA leadership to ensure that DHS policies governing the sharing of [personally identifiable information] were adhered to in conducting” the information sharing pilot program” and “found an apparent blatant disregard for concerns raised by the [Office of Inspector General] and CBP IA staff who questioned the legal authority for, and privacy implications of, the Pilot.”

Callahan also notes, among other things:

…During my meeting with the Assistant Commissioner [James F. Tomsheck] on April 26, 2012, the Assistant Commissioner seemed to believe that CBP IA’s mission exempts it from following applicable privacy law and DHS privacy policy. I believe this attitude is likely to result in a culture of non-compliance in CBP IA. On May 10, 2012, the Assistant Commissioner told me that CBP IA is already engaging in such activities outside the Pilot. It is critical, therefore, that steps be taken now to ensure that any current or future sharing of PII by CBP IA complies with applicable law and DHS policy, and that CBP counsel and the CBP Privacy Officer are consulted prior to implementation of any such projects….

AntiPolygraph.org invites commentary.

  1. Tomsheck’s office appears to be the lead agency in Operation Lie Busters, a criminal investigation evidently targeting the teaching of polygraph countermeasures. []
  2. The acronym “SAR” is not defined in the report. []
  3. The CBP polygraph unit’s summary of significant admissions obtained during polygraph examinations, which reveals the existence of Operation Lie Busters, mentions that “ten applicants for law enforcement positions within CBP were identified as receiving sophisticated polygraph Countermeasure training in an effort to defeat the polygraph requirement.” It is not clear whether these might be the individuals on whom the FBI informally provided information. []

DHS Seeks Smell-Based Lie Detector

You’ve heard of the polygraph. Now the US Government is seeking to develop a “smellograph.” UPI Homeland and National Security Editor Shaun Waterman reports that the Department of Homeland Security is funding a “proof of concept” study into whether odors emitted by the human body can be used to determine whether a person is lying:

DHS wants to use human body odor as biometric identifier, clue to deception
Published: March 9, 2009 at 3:35 PM

By SHAUN WATERMAN
UPI Homeland and National Security Editor

WASHINGTON, March 9 (UPI) — The U.S. Department of Homeland Security plans to study the possibility that human body odor could be used to tell when people are lying or to identify individuals in the same way that fingerprints can.

In a federal procurement document posted Friday on the Web, the department’s Science and Technology Directorate said it would conduct an “outsourced, proof-of-principle study to determine if human odor signatures can serve as an indicator of deception. … As a secondary goal, this study will examine … human odor samples for evidence to support the theory that an individual can be identified by that individual’s odor signature.”

The procurement announcement, titled “Human Odor as a Biometric for Deception” is available here. It should be noted that while they didn’t sniff for liars, the East German secret police had similar ideas about identifying people by their odor and maintained a vast “smell register” of glass tubes with cloth swatches storing for future reference the “odor signatures” of dissidents. The scheme didn’t work particularly well. Do we really want DHS to be emulating the Stasi?

Officials said that the work was at a very early stage, but the announcement brought criticism from civil liberties advocates who said it showed the department’s priorities were misplaced.

The procurement notice said the department is already “conducting experiments in deceptive behavior and collecting human odor samples” and that the research it hopes to fund “will consist primarily of the analysis and study of the human odor samples collected to determine if a deception indicator can be found.”

“This research has the potential for enhancing our ability to detect individuals with harmful intent,” the notice said. “A positive result from this proof-of-principle study would provide evidence that human odor is a useful indicator for certain human behaviors and, in addition, that it may be used as a biometric identifier.”

DHS spokeswoman Amy Kudwa told United Press International that “proof of concept” work was the very earliest stage of technological development.

The directorate “is trying to determine what factors of human behavior and chemistry can provide clues to the intent to deceive,” she said, adding that the work would be carried out by the Federally Funded Research and Development Center run by the non-profit Mitre Corp., which conducts cutting-edge research for U.S. military, homeland security and intelligence agencies.

Barry Steinhardt, director of the ACLU’s technology and liberty project, told UPI that the plan showed the department had “misplaced priorities.”

“The history of DHS’ deployment of these technologies has been one colossal failure after another,” he said. “There is no lie detector. This research has been a long, meandering journey, which has taken us down one blind alley after another.”

Steinhardt added that even well-established biometric-identity technologies like fingerprinting have resulted in individuals being inaccurately identified, like Oregon lawyer Brandon Mayfield, who got an apology from the FBI after being wrongfully accused of having had a hand in the 2004 Madrid rail bombings.

“None of the biometrics for identity have worked very well, with the possible exception of DNA,” he said, adding that even fingerprint evidence was “increasingly being challenged in courts around the country.”

“This shows the misplaced priorities (of DHS),” he said. “The government doesn’t need to take us down another blind alley.”

Steinhardt is right, and given the current financial crisis, this technological flight of fancy should get the budgetary axe.

Recent scientific research shows that so-called volatile organic compounds present in human sweat, saliva and urine can be analyzed using a technique known as gas chromatography-mass spectrometry.

Research published by the Royal Society in London in 2006 found “a substantial number of marker compounds (in human sweat) that can potentially differentiate individuals or groups.”

Researchers took five samples each from 179 individuals over a 10-week period and analyzed them, finding hundreds of chemical markers that remained more or less constant for each individual over time.

An analysis of these compounds “found strong evidence for individual (odor) fingerprints,” the researchers concluded.

However, they warned that some individuals appear to have less distinctive odors than others, adding that “the reason for the variation in distinctiveness is unclear.” More importantly, some individuals’ odors changed during the course of the study. “Not all subjects had consistent marker compounds over time, which might be due to physiological, dietary or other changes,” the researchers concluded.

The researchers also cautioned that some of these marker compounds might be “exogenous chemical contaminants” from skin-care or perfume products or tobacco smoke and other substances present in an individual’s environment. About a quarter of the 44 apparently distinctive marker compounds they were able to analyze appeared to be artificial contaminants, the researchers said.

“Determining the origins of individual and sex-specific odors — and controlling exogenous chemical contaminants — may provide the most important challenge for future … studies,” the researchers said.

Those challenges are likely to be significant, and they will multiply if the techniques are deployed in the field.

“While some of these sensors perform well in the lab, the real world may be different,” technology consultant and author John Vacca said. “The technology is still in its infancy.”

AntiPolygraph.org’s George Maschke has prepared the following video commentary regarding DHS’s plans for a smell-based lie detector:

Sam Harris on True Lie Detection

Neuroscientist Sam Harris answers the Edge Foundation’s annual question for 2009, “What game-changing scientific ideas and developments do you expect to live to see?” with a commentary titled “True Lie Detection.” Excerpt:

When evaluating the social cost of deception, one must consider all of the misdeeds — marital infidelities, Ponzi schemes, premeditated murders, terrorist atrocities, genocides, etc. — that are nurtured and shored-up, at every turn, by lies. Viewed in this wider context, deception commends itself, perhaps even above violence, as the principal enemy of human cooperation. Imagine how our world would change if, when the truth really mattered, it became impossible to lie.

The development of mind-reading technology is in its infancy, of course. But reliable lie-detection will be much easier to achieve than accurate mind reading. Whether on not we ever crack the neural code, enabling us to download a person’s private thoughts, memories, and perceptions without distortion, we will almost surely be able to determine, to a moral certainty, whether a person is representing his thoughts, memories, and perceptions honestly in conversation. Compared to many of the other hypothetical breakthroughs put forward in response to this year’s Edge question, the development of a true lie-detector would represent a very modest advance over what is currently possible through neuroimaging. Once this technology arrives, it will change (almost) everything.

Economist Robin Hanson at the Overcoming Bias blog takes a more skeptical view in his brief commentary, “A World Without Lies?”