Privacy SOS

NYTimes misses the mark in Trapwire story

On August 13, 2012 Scott Shane published a story in the New York Times about Trapwire, the shadowy surveillance company founded by CIA veterans that has taken the Internet by storm this week. In "WikiLeaks Stirs Global Fears on Antiterrorist Software," Shane cautions that "reports [on Trapwire] appear to be wildly exaggerated," but in doing so he gets a couple of important things wrong.

Suspicious activity reporting in NYC and Trapwire

One of the misleading parts of Shane's piece could be charitably explained away as a misunderstanding about Trapwire's services. As we wrote over the weekend in this space, Trapwire runs three operations: critical infrastructure "hardening," suspicious activity report management, and data mining operations for law enforcement. It's unclear how the back-end databases that manage these programs interact, if at all.

From the NYT story:

A claim in the leaked [Stratfor] e-mails that 500 cameras in the New York subway were linked to TrapWire is false, said Paul J. Browne, the New York Police Department’s chief spokesman. “We don’t use TrapWire.”

It's possible that Paul Browne — who was caught lying to the media recently regarding the "The Third Jihad", Islamophobic training video scandal — meant that the NYPD does not deploy Trapwire's critical infrastructure hardening program, which analyzes video and license plate data from private and public cameras. But the Trapwire website clearly states that the firm manages the New York City "See Something, Say Something" suspicious activity reporting program via its "TrapWire Community Member" program. (Screenshot of the website below.)

The "See Something, Say Something" program in New York City operates through the Metropolitan Transit Association and the NYPD, via the department's "NYPD Shield" program. In testimony delivered to the Senate back in 2006, then Deputy Commissioner for Counterterrorism at the NYPD Richard Falkenrath said:

In July 2005, the NYPD launched a new initiative with the private security industry in New York called “NYPD Shield.” We have created a comprehensive program website featuring training materials and threat updates, and we have offered detailed briefings to a number of private sector industries.

It's unclear whether the "private security industry" Falkenrath refers to has any connection to Abraxas Corporation or Trapwire, Inc., but the NYPD's connections to the CIA suggest it's possible.

Either way, Trapwire very clearly says it services the See Something, Say Something program in NYC. It's possible that the NYPD has no relationship with the company, as spokesman Paul Browne told Scott Shane, but that seems highly unlikely given the Department's central involvement in the suspicious activity reporting program in NYC. Even if the NYPD has no official contract with Abraxas or Trapwire, New York City's partnership with the company through its "See Something, Say Something" campaign — of which the NYPD is a part — warrants mention in light of Browne's distancing.

Trapwire and personal information

Shane's piece also fails to closely examine the veracity of Trapwire's comments about how it collects personal information. He writes:

TrapWire’s marketing materials say it uses video cameras and observations by security guards to develop a 10-point description of people near a potential terrorist target and an eight-point description of vehicles. It also records “potential surveillance activity, such as photographing, measuring and signaling,” combining in a TrapWire database “this human-entered data with information collected by sensors.”
If the same person or car is picked up in multiple locations engaging in suspicious behavior, the software is supposed to make the connection. But a privacy statement on the TrapWire Web site says the software does not capture “personal information.”
Shane doesn't interrogate this last statement, but he should have because Trapwire's own admissions reveal a much more complicated reality regarding the company's collection of personal information.
It appears as if the company has a curious definition of "personal information," limiting it to information "that may be used to identify an individual," but only that which cannot be accessed via publicly available sources, which include data broker services like ChoicePoint and LexisNexis. In other words, if Trapwire can buy your social security number, history of addresses, records of employment and other private data, the company doesn't consider it personal information — as long as the firm doesn't combine that personal information with data it got from a non-public source.
“Personal Information” means any information or set of information (such as name, address, date of birth, social security number, etc.) that may be used to identify an individual.  Personal information does not include information that is encoded or anonymized, or publically available information that has not been combined with non-public information.
Furthermore, the same Trapwire privacy policy submitted to the European Union cited above suggests that the program does collect personally identifiable information, even if the program is not "designed" to do so:
Generally, no Personal Information or Sensitive Personal Information is recorded by the TrapWire system, and no such information is used by the system to perform its various functions.  In the event a system user were to enter either Personal Information or Sensitive Personal Information in a comments field, TrapWire will not share or expose that information to any other subscriber on the system, unless required by law, and, in any case, will otherwise adhere to Safe Harbor Privacy Principles with respect to that information. 
To the extent Personal or Sensitive Personal Information is entered into the TrapWire system, and is not designated as law enforcement sensitive, TrapWire will not share that information with any third party.  

The company's definition of what constitutes "personal information" grants it wide latitude to put together incredibly detailed profiles of individuals, and as the privacy policy submitted to the EU shows, Trapwire collects information beyond what's available in pay-for-access databases like ChoicePoint

The claim that the company does not collect personal information, reprinted without challenge in the New York Times, therefore seems highly dubious.

Data mining doesn't work

Errors aside, the Times piece importantly gets to the issues at the heart of the ongoing conversation about Trapwire and its shadowy powers: Does data mining work? And if so, should we do it? To answer this question, Shane wisely turned to my colleague Jay Stanley at the ACLU, who succinctly described why data mining for terrorism prevention won't work and is a privacy disaster. 

Data mining won't work because "it’s extremely difficult, and probably impossible, to distinguish the one-in-a-billion terrorist from innocent people doing ordinary things like taking pictures,” said Stanley. Furthermore, he told Shane, "We live in a democracy, and that's what security agencies are here to protect."

Here, here.

© 2021 ACLU of Massachusetts.